private key protection for Online signatures

Question

Let's say we have a group of id/signature pairs like:

https://picasaweb.google.com/${ID1}?authkey=${SIGNATURE1}
https://picasaweb.google.com/${ID2}?authkey=${SIGNATURE2}
https://picasaweb.google.com/${ID3}?authkey=${SIGNATURE3}
https://picasaweb.google.com/${ID4}?authkey=${SIGNATURE4}
....

It is one way picasa shares the links, so they are all persistent.

If we can collect thousands or millions of those id/signature pairs, does it make the private key vulnerable? That we can generate signature for any new ID?

( Assuming the encryption method is sha1 or sha256. What if there is a salt or not?)

( picasa is just an example, please don't target at picasa. It is a general question as we saw many sites are using this method. )

( Let's say the signature is generated by this method: HMAC SHA1 Signature in Java )

what are those 'signatures' exactly? are those SHA hashes, or RSA digital signatures (they are somewhat related, but also very different things) — Eric Petroelje, Dec 26 '12 at 18:53
Let's say the signature is generated by this method: http://stackoverflow.com/questions/10859526/hmac-sha1-signature-in-java — Tom Fishman, Dec 26 '12 at 18:57
This is related to ps3's epic fail: http://www.youtube.com/watch?v=Eag0VyRTld8 at 7:27. Though the signature methods are different. — Tom Fishman, Dec 26 '12 at 21:13
seems Sony's problem was that their random numbers weren't random. So although the algorithm itself is fine, their implementation was flawed. — Eric Petroelje, Dec 26 '12 at 21:22

score 0 · Answer 1 · edited Apr 13 '17 at 12:48

0

So what the question really boils down to is whether or not a signed hash actually "leaks" any information about the key that was used to sign the hash. Assuming a strong key and a good hash function, no information about the key should be leaked by an HMAC, even if the plaintext is known.

Here's a link to a similar question on the cryptography stackexchange with a good answer:

https://crypto.stackexchange.com/questions/2538/is-my-hmac-secure-if-i-have-a-complete-series-of-hmacd-prefix-strings

edited Apr 13 '17 at 12:48

Community

1
1

answered Dec 26 '12 at 19:13

Eric Petroelje

59,820
9
127
177

Do you have any (authoritative) reference we can check? – Tom Fishman Dec 28 '12 at 04:34
@Tom - if you look at the RFC, you'll see some information about what cryptanalysis they've done around HMAC. From what I've seen, most attacks rely on finding hash collisions which is impractical even with SHA1, much less SHA2. Of course that assumes that you are "doing it right" (unlike in the Sony example) – Eric Petroelje Dec 28 '12 at 14:19

private key protection for Online signatures

1 Answers1