At 21:32 25/12/98, Peter Gutmann wrote:
I am not going to comment on the cryptographic aspects here, but...
Now maybe I'm being a bit optimistic here, but I do think that claiming this
is a weakness is a pretty silly. First of all you need to assume that an
attacker can somehow send you a million pieces of email without you noticing
and without it getting stopped by spam blockers.
I think this *must* be a working assumption. As soon as e-mail (or other
S/MIME-protected object transport) is used for automated transactions
(which I believe will happen) then this assumption becomes a real
probability, IMO. I see this as another aspect of Internet protocol
scalability.
... Your own software then has
to try to decrypt each of the one million pieces of email, find that it
can't,
and send out a receipt to the sender containing an indication of exactly how
the decryption failed (this isn't possible even if you wanted to do it,
although who knows what the Receipt Notification WG have been working on
recently).
The fact that 'receipt' doesn't currently have a mechanism to carry this
information doesn't mean:
(a) that it never will, or
(b) that some other mechanism will be not used that does have this capability.
... Finally, the whole attack only works if you reuse cryptovariables
- it would work nicely if you use something like the ES-DH cached values
which
Eric mentioned in a previous message, but not against Elgamal key wrapping.
This is why the CERT advisory on this problem specifically points out "This
vulnerability does not affect S/MIME or SET".
I cannot comment on the truth of this assertion. But it does seem to me
that this should be the basis of debate for the issue you raise, rather
than assumptions about message volumes, etc.
#g
------------
Graham Klyne
(GK(_at_)ACM(_dot_)ORG)