Dr Stephen Henson <shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk>
wrote:
Paul Hoffman / IMC wrote:
Er, I really don't like "left" and "right", since a fair number of people
in the world write from right to left. I propose:
most significant (first) octet to least significant (last) octet
Yes I'll go with that. "First" and "last" were the terms used in a similar
(but not identical) algorithm mentioned in the PKCS#11 spec.
The algorithm is just a Flectcher checksum, I've sent the CMS draft author a
list of slightly more accessible references for this, perhaps it'd be possible
to take a description of the algorithm from one of these, or at least refer to
them for more information (including details of the properties of the
algorithm).
One comment on the algorithm when it's used to check for malicious
modifications, it may be useful to iterate it multiple times and use the
32-bit instead of 16-bit version to avoid problems where an attacker can
manipulate the data in a predictable way and then try to cancel it by
adjusting the checksum (for example if the wrapping is done using CFB or OFB
mode). The security of an encrypted weak checksum is an open question, which
is why I'm paranoid in my implementation (of something completely unrelated to
CMS) and use 10 iterations of the 32-bit Fletcher checksum. This isn't a
problem in the current application, but who knows where the key wrapping will
end up being used, which means an attacker could end up being able to mount a
related-key attack if they can bend the checksum straight again after flipping
a few key bits (or even just try an exhaustive search like Matt Blaze did with
Clipper). With a single iteration you can in any case flip the low keys bits
and have a fairly high probability of being able to get the checksum correct.
Peter.