Signing Ambiguous Messages


Description of the Problem

Many sites creating an authenticator which is the concatentation of username+expiration time, key. The problem with this type of system is that an adversary can abuse it by creating usernames which will have the same authenticator as another existing user.

For example, a user with username Alice and expiration date 21-Apr-2001 results in the authenticator signed(Alice21-Apr-2001,key). However, a user Alice2 with expiration date 1-Apr-2001 will have the same authenticator signed(Alice21-Apr-2001,key).

Solutions

To avoid this problem, the designers of sites should use either an unambiguous representation or use delimiters between their fields.

List of Sites who have suffered this problem

[Home]   [Publications]   [Cookie encyclopedia]   [Mailing list]   [FAQ]   [Contact us]

[Blue Ribbon Campaign icon]
Join the Blue Ribbon Online Free Speech Campaign!