undefined | Better HN

0 pointsbjornsing9y ago0 comments

Is it...? I've designed a system that used the SHA-256 hash of an RSA public key to establish trust between a client and a server. Client gets the SHA-256 hash as part of its static configuration (out of band). When the client connects to the server over DTLS it gets its public key, and checks that the key hashes to the configured value.

Isn't it rather obvious that no third party can attack this system even if they can create an SHA-256 collision?

Sure, you can dream up some weird scenario where someone could set up two servers with different RSA public keys that would hash to the same value, so that the client could be fooled into connecting to one when it thought it was connected to the other. But to me it seems quite obvious that that's outside the treat model / irrelevant.

0 comments

1 comments · 1 top-level

infinity09y ago

I'd say this is a "very simple system". Real use-cases are more complex and have to deal with various issues you brushed aside by saying "out of band".

Especially in situations where you don't trust what's giving you the hash (e.g. because you haven't authenticated them yet, or because the application inherently means you can't trust them even if you have authenticated them) then collision resistance most likely necessary.

j / k navigate · click thread line to collapse