[Top] [All Lists]

Re: message integrity checksum?

1998-01-07 17:30:47

David Formosa <dformosa(_at_)st(_dot_)nepean(_dot_)uws(_dot_)edu(_dot_)au> 
On Tue, 6 Jan 1998, Adam Back wrote:

Gary Howland discussed PGP vulnerabilities at HIP97 I think.  One of
the vulnerabilities was that encrypted (but not signed) messages could
be altered undetectably.

This vulnerability is commen to any system that is encrypted but not

Not necessarily, it just depends if this property has been designed
into the protocol design.  For example SSLv3 has cipher suite
ADH-DES-CBC3-SHA -- this cipher suite is not signed -- it is
symmetrically encrypted with 3DES, but it also has an HMAC based
authentication code with keying material derived from session data.

It is vulnerable to MITM, however because there is no authentication
at all.

Many systems are based on symmetric key technology only, where
shared-key authentication mechanisms are used.

This is why I asked "is this considered a problem?"

It could be a problem if people assume this property.  I think it
would be a useful property to add.  Either add, or note lack of this
property as a security warning.

I have some vague recollection that PGP said shortly after Gary gave
his talk that they had addressed the security problem(s) that Gary
raised.  It would appear that the modifiable unsigned bulk encrypted
data has not been fixed unless I missed this in the currrent draft.

Now officially an EAR violation...
Have *you* exported RSA today? -->

print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>

<Prev in Thread] Current Thread [Next in Thread>