Russ Housley wrote:
Steve:
The structure of the PKCS#1 key block used to encrypt a content-encryption
key in a recipient public key offers some integrity protection. Other
techniques have been defined that offer even more integrity.
The recipient of such a block has some assurance that the unwrapped key is
the one used by the originator. Thus, it is unlikely that the recipient
will spend time decrypting the message content if an attacker altered the
wrapped content-encryption key.
Can you be more specific about the integrity checks for the key
transport case?
I may well be missing something here but isn't it possible for an
attacker to just pick a random key (a bogus content encryption key),
encrypt that using the recipients public key and PKCS#1 rules?
This would then appear to be a similar attack to the DH one you are
trying to prevent. The recipient decrypts the block: it decrypts fine
and then uses the bogus content encryption key only to find a problem
when the message decrypts as garbage.
This may require that the attacker know the recipients public key: so I
suppose in that sense it is a little harder than the DH one.
Alternatively they can just copy the relevant sections of the structure
from another message to the same recipient.
My only real concern with the proposal was that it may indeed stop one
attack but there so many other trivial attacks that I can't see the
point. The essentially anonymous nature of such messages makes such
attacks inevitable and, compared to the alternative of implicit or
explicit signing of everything, desirable.
I have only one other objection to the wrapping method you are
suggesting: that it should be coded in ASN1 rather than raw data.
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: via homepage.