ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Comments on smime-cms-07

1998-11-10 13:56:34
from [Jim Schaad (Exchange)] [Permanent Link] 
I remove those items with which I had no more problems.


-----Original Message-----
From: Russ Housley [mailto:housley(_at_)spyrus(_dot_)com]
Sent: Tuesday, November 10, 1998 12:41 PM
To: Jim Schaad (Exchange)
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Comments on smime-cms-07


Jim:
 


3.  Section 9 - Authenticated-data Content Type:  I think I 

have identified

what I consider to be a security weakness.  Specifically if 

you create an

authenticated data object with authenticated attributes, I 

can remove the

authenticated attributes and come up with a stil legal 

authenticated data

object.  To fix this I propose that we change authenticated 

data in the

following ways:
 a)  In AuthencatedData macAlgorithm be changed to hashAlgorithm.
 b) autenticatedAttributes becomes a REQUIRED field (remove 

the OPTIONAL)

 c) a digest-value becomes a required attribute in the
autenticatedAttributes (replacing mac-value)
 d) in processing, you hash the encapContentInfo, put the has in the
authenticated attributes and MAC this value.


I understand your proposed change, but I do not understand 
the "security
weakness."  In CMS-07, two MAC values are computed.  The 
first MAC value is
computed from the content, then this MAC value is encoded in 
an authenticated
attribute.  The second MAC value is computed from the DER 
encoded attributes. 
The two MAC values should not be the same.  So, if the 
attributes are removed
by an attacker, the MAC value check should fail.

If you are concerned about an attacker who is a recipient, 
and thus has the
symmetic key needed to compute the MAC, then I do not think 
that anything can
be done to make authenticated-data secure.


What I am looking at is more of a man in the middle attack.  If I intercept
the message, I can modify it and then send on to the receiptient after
having removed all of the attributes.  Since I have removed all of the
attributes only one MAC computation would be computed and that is the same
MAC computation as was in the attributes as the macValue.





5.  Section 12.5.2.  DES MAC should be struck and replace 

with 3DES MAC.

My notes from Chicago indicate that HMAC with SHA-1 and DES 
MAC are the two
algorithms that will be included.  As 12.5 says: "CMS 
implementations that
support authenticatedData must include HMAC with SHA-1.  CMS 
implementations
may also include DES MAC."


I'll believe your notes over my memory.  I had thought that DES MAC was
struck and replaced with 3DES MAC.




Enjoy,
  Russ
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: CMS: Algorithm Dependancy Issues, Russ Housley
Next by Date:  Re: [ssl-users] ssleay, private CA and Netscape 4.xx ..., Dr Stephen Henson
Previous by Thread:  Re: Comments on smime-cms-07, Russ Housley
Next by Thread:  RE: Comments on smime-cms-07, Francois Rousseau
Indexes:  [Date] [Thread] [Top] [All Lists]