Recovering Public Keys from Signatures

Interesting summary of various ways to derive the public key from digitally signed files.

Normally, with a signature scheme, you have the public key and want to know whether a given signature is valid. But what if we instead have a message and a signature, assume the signature is valid, and want to know which public key signed it? A rather delightful property if you want to attack anonymity in some proposed “everybody just uses cryptographic signatures for everything” scheme.

Tags: , , ,

Posted on June 20, 2024 at 7:10 AM8 Comments

Comments

Clive Robinson June 20, 2024 8:21 AM

@ Bruce, ALL,

“But what if we instead have a message and a signature, assume the signature is valid, and want to know which public key signed it?”

The “theory” was that the signing process would inherit the “One Way Function”(OWF) properties of being non reversible, thus the only attack would be a form of “Dictionary Attack” we used to call “Rainbow Tables”

However it was obvious from the get go that no such signature would be “unique to a message”.

That is there would be an infinite number of messages that would produce the same signature either from a single Key or all Keys.

It’s the same issue as the numbers between the natural numbers. There is an infinite number of rational numbers and between those an infinite number of real numbers. The problem is that all common usable presentations give a “string of digits” that gets truncated in some way so are in fact the equivalent of natural numbers that produce the same string of digits.

This in turn tells us there will be interesting effects such as we get with other counting systems.

cybershow June 20, 2024 3:15 PM

The article seemed a little confusing in purpose until “public keys
are public”. Not immediately obvious what the threat was and it needed
a standard Alice, Bob and Eve set-up with the misunderstandings
explained.

That said, these edge case misunderstandings like “I can encrypt and
sign something and, notwithstanding any routing and meta-data leakage
an eavesdropper will not know it came from me” are fascinating – not
exactly counter-intuitive, but serious foot-guns for the average user
saddled with numerous weak assumptions.

Here’s my thoughts this week on splits in cybersecurity
 and how “professional” and “consumer” worlds may diverge as
people are hoodwinked into poor security by tech companies who have an
obvious financial interest in poor security – an “insecurity
industry”.

Clive Robinson June 20, 2024 6:20 PM

@ Andy Farnell

A little proof reading required you’ve left out one or three “little words”.

But you gave an “outgoing” assumption I’m none to sure will happen.

Funny on for you, remember Liz Truss?

Ever look her father up?

I have a couple of his well written books in my dead tree cave.

Lets just say the Liz is very definitely the bum sheep of the family and uselessly opposite to all of them.

But back to “security”…

For four or five decades commercial and consumer computer use has been about “connectivity”. In part last century because “Personal Computers” were lacking resources in various areas. You might have noticed they still are,

“Try putting a wired network on a modern personal computing device”

Google’s OS offerings do not support them and turning “wireless connect to all” off is rapidly becoming the equivalent of cleaning the “Augean Stables” on all three “Consumer OS Suppliers” products.

If you look back on this blog you will find I talk not of the old “air gapping” but the harder to solve “Energy Gapping” and the use of two computers. The first is your “Private Work” that is never connected to any communications or potential communications network (that includes the mains power and audio etc). I suspect you know quite a bit about 1980’s computing where PDA’s got connectivity by IR LEDS and ultrasonics, so can appreciate why I say “energy” rather than “air” when it comes to gapping.

The second computer is one made of the oldest bits you can get working hopefully without “Flash ROM” and no hard drive etc. The OS being Open-Source runs off of Write Once CD or DVD. This is your connection machine to the outside world.

The problem is “gap crossing” of which the simplest is “Paper Paper Never Data” you print stuff out ASCII only on the work computer and use the second computer in a similar way to an old fax machine. Scan in and send or scan in OCR and send.

I happen to use a data diode based around fiber optics you find around low cost audio studios that is one way RS232 equivalent. Not exactly hard to make and the parts are still fairly available. I “instrument” in between with a microprocessor based system I designed and manufactured and it’s scary just how much computing power you get for your buck these days. People have ported across early versions of Unix for which all the source is available, and unlike Linux is small enough that a semi reasonable programmer can get their head around.

I know it sounds mad but security “lies in things of the past”

As for “user utilities” I have an Apple ][ from the 1970’s that uses a 6502 processor at 1Mhz which is less than 1/1000th of most modern CPU’s and it’s only 8bit not hybrid 64/128 as modern CPU+GPU have a habit of being. So it should be ridiculously slow in comparison… Nope the keyboard to screen response in a basic WordProcessor is about twice as fast on the Apple ][ than one a modernish MS Win 8 machine as for Win 10 let’s just say

“I don’t think there is enough coal in the world for it to get up enough steam to catch up.”

Any way, enough reminiscing about security failings of the modern world.

B June 21, 2024 7:29 AM

How to discover the self-signed CA when HSTS is enabled and you can’t disable signature verification and you don’t have the self signed CA.

Welcome to the world of lean agilr services!!!

Clive Robinson June 21, 2024 9:23 AM

@ Bruce, ALL

In a similar vein,

https://gist.github.com/DavidBuchanan314/a15e93eeaaad977a0fec3a6232c0b8ae#file-00_writeup-md

“Here’s the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.”

OK the MD5 is an old creaker of a HASH and not considered CS these days. As for CRC32 it was an Error Detecting Code nothing more, and little more than “adding up the bytes” in a more efficient way.

But it’s “assumed” by many that the use of two unrelated payload checks makes security vastly increased, where as the reality is “not so much”.

Clive Robinson June 21, 2024 10:31 AM

@ ALL,

Since the announcement of the closing of the squid pages, it makes notifying readers of new information hard.

Aside from suggesting people post on the last “semi-relavent” thread and every one reads the ‘100 latest comments’ page,

https://www.schneier.com/blog/newcomments.html/

I can see no way other than posting to the latest thread which is undesirable but…

So as a sort of halfway house position,

“Themes from Real World Crypto 2024”

From the “Trail of Bits Blog”

https://blog.trailofbits.com/2024/06/18/themes-from-real-world-crypto-2024/

“[At] Real World Crypto 2024, a three-day event that hosted hundreds of brilliant minds in the field of cryptography. We also attended three associated events: the Real World Post-Quantum Cryptography (RWPQC) workshop, the Fully Homomorphic Encryption (FHE) workshop, and the Open Source Cryptography Workshop (OSCW). Reflecting on the talks and expert discussions held at the event, we identified some themes that stood out”

cybershow June 21, 2024 5:40 PM

@Clive

Most interesting to read of John Truss My discrete math texts were Biggs (Oxford) and Johnsonbaug (Chicago) but
was completely unaware of Truss and his “masterful and thorough”
Mathematical Gazette.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.