Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Digital signature
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
====Limitations==== '''Replays.''' A digital signature scheme on its own does not prevent a valid signed message from being recorded and then maliciously reused in a [[replay attack]]. For example, the branch office may legitimately request that bank transfer be issued once in a signed message. If the bank doesn't use a system of transaction IDs in their messages to detect which transfers have already happened, someone could illegitimately reuse the same signed message many times to drain an account.<ref name="stinson3e2006digsigs"/> '''Uniqueness and malleability of signatures.''' A signature itself cannot be used to uniquely identify the message it signs—in some signature schemes, every message has a large number of possible valid signatures from the same signer, and it may be easy, even without knowledge of the private key, to transform one valid signature into another.<ref name="bcjz2020ed25519sectheorypractice">{{cite tech report |first1=Jacqueline |last1=Brendel |first2=Cas |last2=Cremers |first3=Dennis |last3=Jackson |first4=Meng |last4=Zhao |title=The Provable Security of Ed25519: Theory and Practice |publisher=IACR Cryptology ePrint Archive |number=2020/823 |date=2020-10-14 |url=https://eprint.iacr.org/2020/823 }}</ref> If signatures are misused as transaction IDs in an attempt by a bank-like system such as a [[Bitcoin]] exchange to detect replays, this can be exploited to replay transactions.<ref name="decker-wattenhofer2014btcmalleablemtgox">{{cite conference |first1=Christian |last1=Decker |first2=Roger |last2=Wattenhofer |title=Bitcoin Transaction Malleability and MtGox |doi=10.1007/978-3-319-11212-1_18 |pages=313–326 |editor-first1=Mirosław |editor-last1=Kutyłowski |editor-first2=Jaideep |editor-last2=Vaidya |conference=European Symposium on Research in Computer Security—ESORICS |year=2014 |series=Lecture Notes in Computer Science |volume=8713 |publisher=Springer |isbn=978-3-319-11212-1 |doi-access=free |arxiv=1403.6676 }}</ref> '''Authenticating a public key.''' Prior knowledge of a ''public key'' can be used to verify authenticity of a ''signed message'', but not the other way around—prior knowledge of a ''signed message'' cannot be used to verify authenticity of a ''public key''. In some signature schemes, given a signed message, it is easy to construct a public key under which the signed message will pass verification, even without knowledge of the private key that was used to make the signed message in the first place.<ref name="ayer2015sigmisuseacme">{{cite mailing list |first1=Andrew |last1=Ayer |title=Signature misuse vulnerability in draft-barnes-acme-04 |date=2015-08-11 |mailing-list=acme@ietf.org |url=https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc/ |access-date=2023-06-12 }}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Digital signature
(section)
Add topic
