Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://furry.engineer/users/soatok/statuses/113917423001484151">Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:22 JST</a><a href="https://furry.engineer/@soatok" title="soatok@furry.engineer"><img src="https://gnusocial.jp/avatar/34725-48-20230823231406.webp" width="48" height="48" alt="Soatok Dreamseeker" style="position: absolute; left: 0; top: 0;">Soatok Dreamseeker</a><div><a href="https://furry.engineer/@soatok/113917392479083137" rel="in-reply-to">in reply to</a></div></section><article><p>This contrived dialogue may have tripped alarms in your mind, even if you're not a nightmare magic math specialist.</p><p>If so, this is the same kind of "oh noooooo" I feel whenever a protocol decides which algorithm to use based entirely on potentially attacker-controlled data.</p><p>Grabbing the algorithm from a message signature? Bozo bit flipped!</p><p>Grabbing the public key from the message signature? I'm over the moon. (Session does this, even though there's an external bit of logic binding it to the user's long-term birationally equivalent X25519 public key.)</p><p>The only acceptable way to do this is:</p><ol><li>Have a randomly generated Key ID that points to a specific keypair.</li><li>Include this Key ID in the data being authenticated.</li><li>To figure out the algorithm to use for a given key, consult the key (not the signature or message).</li></ol></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4477423#notice-8765740">In conversation</a><time datetime="2025-01-30T22:17:22+09:00" title="Thursday, 30-Jan-2025 22:17:22 JST">about 8 days ago</time> <span>from <span><a href="https://furry.engineer/@soatok/113917423001484151" rel="external" title="Sent from furry.engineer via ActivityPub">furry.engineer</a></span></span><a href="https://furry.engineer/@soatok/113917423001484151">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4049563">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:22 JST Soatok Dreamseeker
in reply to
This contrived dialogue may have tripped alarms in your mind, even if you're not a nightmare magic math specialist.
If so, this is the same kind of "oh noooooo" I feel whenever a protocol decides which algorithm to use based entirely on potentially attacker-controlled data.
Grabbing the algorithm from a message signature? Bozo bit flipped!
Grabbing the public key from the message signature? I'm over the moon. (Session does this, even though there's an external bit of logic binding it to the user's long-term birationally equivalent X25519 public key.)
The only acceptable way to do this is:
1. Have a randomly generated Key ID that points to a specific keypair.
2. Include this Key ID in the data being authenticated.
3. To figure out the algorithm to use for a given key, consult the key (not the signature or message).
In conversationabout 8 days ago from furry.engineerpermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice