Collaborate Disseminate
In this question I asked about how to handle situations when SHA-256 hashes are not available for a file downloaded from the internet that contains executable code. Another community member insightfully asked if a hash is really needed to… Continue reading If a file is digitally signed, is posting a hash very useful for security purposes?
If I understand correctly section 4.2 in Jacques Stern, David Pointcheval, John Malone-Lee, and Nigel P. Smart’s Flaws in Applying Proof Methodologies to Signature Schemes, in proceedings of Crypto 2002, they describe an attack that allows… Continue reading Premeditated substitution of ECDSA-signed message by the signer
Trusting the software/data with Digital Signature or means of hash will not work in case of zero day attack such as stuxnet where trusted vendor keys are stolen and as a part of installation they are trusted. In this case can we use blockchain for verifying the files hashes/digital signature for e.g.
Now suppose if someone tried to send the file by signing with stolen private key (from one of my vendor) we first verify that the file exists in our BlockChain and reject/accept accordingly.
There are some assumptions to this that I accept:
But if we have such setup can zero day attack be detected to some level.
Question is somewhat related to other Question asked:
I did not updated the original questions since changes are more.
Is there a scheme that let people derive public/private key pair from arbitrary secrets?
As you may know, digital signature schemes have versatile use cases. The problem is, the key pair handling is too difficult for end-users. On the othe… Continue reading Deriving digital signature key pair deterministically from an arbitrary secret
Digital Signature verification process for software installation can be done automatically during execution or manually by user. (I’m considering PKI Method of certification.)
For example, in case of some exe’s on Windows OS, if the Digita… Continue reading Digital Signature verification Automate vs Manual
The popularity of eSignature solutions has skyrocketed in the last year, as part of companies’ digital transformation efforts in the COVID-19 environment. Organizations considering eSignature solutions need to be thoughtful about the eSignature technol… Continue reading How do I select an eSignature solution for my business?
I sign my emails using PGP/MIME through Thunderbird. The scheme creates a detached signature of the whole email (body and headers), and add it as a separate attachment. The signature is valid for that email, and only for that email because… Continue reading Prevent PGP Signature from being Forwarded [closed]
A little bit of background: I want to sign my emails for my own safety. None of my intended recipients are users of digital signatures. If one day someone were to impersonate me, I can prove my own identity, and disprove the identity of my… Continue reading Standard form of email signature
Why are Leighton-Micali Signature Scheme (LMS) and eXtended Merkle Signature Scheme (XMSS) no candidates in the NIST Post-Quantum Cryptography Standardization process?
Both are mentioned in the final draft of Recommendation for Stateful Ha… Continue reading Why are LMS and XMSS no candidates in the Post-Quantum Cryptography Standardization process?
I am going through a short course on security. One of the videos is talking about non-repudiation in regards to cryptography and sending messages between Alice and Bob. This video talks about how digital signatures can be used to verify th… Continue reading How can digital signatures assure the sender their message has been correctly received?