Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Digital signature
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
====Limitations==== '''Replays.''' A digital signature scheme on its own does not prevent a valid signed message from being recorded and then maliciously reused in a [[replay attack]]. For example, the branch office may legitimately request that bank transfer be issued once in a signed message. If the bank doesn't use a system of transaction IDs in their messages to detect which transfers have already happened, someone could illegitimately reuse the same signed message many times to drain an account.<ref name="stinson3e2006digsigs"/> '''Uniqueness and malleability of signatures.''' A signature itself cannot be used to uniquely identify the message it signs—in some signature schemes, every message has a large number of possible valid signatures from the same signer, and it may be easy, even without knowledge of the private key, to transform one valid signature into another.<ref name="bcjz2020ed25519sectheorypractice">{{cite tech report |first1=Jacqueline |last1=Brendel |first2=Cas |last2=Cremers |first3=Dennis |last3=Jackson |first4=Meng |last4=Zhao |title=The Provable Security of Ed25519: Theory and Practice |publisher=IACR Cryptology ePrint Archive |number=2020/823 |date=2020-10-14 |url=https://eprint.iacr.org/2020/823 }}</ref> If signatures are misused as transaction IDs in an attempt by a bank-like system such as a [[Bitcoin]] exchange to detect replays, this can be exploited to replay transactions.<ref name="decker-wattenhofer2014btcmalleablemtgox">{{cite conference |first1=Christian |last1=Decker |first2=Roger |last2=Wattenhofer |title=Bitcoin Transaction Malleability and MtGox |doi=10.1007/978-3-319-11212-1_18 |pages=313–326 |editor-first1=Mirosław |editor-last1=Kutyłowski |editor-first2=Jaideep |editor-last2=Vaidya |conference=European Symposium on Research in Computer Security—ESORICS |year=2014 |series=Lecture Notes in Computer Science |volume=8713 |publisher=Springer |isbn=978-3-319-11212-1 |doi-access=free |arxiv=1403.6676 }}</ref> '''Authenticating a public key.''' Prior knowledge of a ''public key'' can be used to verify authenticity of a ''signed message'', but not the other way around—prior knowledge of a ''signed message'' cannot be used to verify authenticity of a ''public key''. In some signature schemes, given a signed message, it is easy to construct a public key under which the signed message will pass verification, even without knowledge of the private key that was used to make the signed message in the first place.<ref name="ayer2015sigmisuseacme">{{cite mailing list |first1=Andrew |last1=Ayer |title=Signature misuse vulnerability in draft-barnes-acme-04 |date=2015-08-11 |mailing-list=acme@ietf.org |url=https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc/ |access-date=2023-06-12 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)