[Top] [All Lists]

Re: Way Forward

2000-08-02 11:24:26
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:

I do not think that we are being gratuitous.  I think that it is good security
practice to remove any toe-hold that an attacker has.  Further, I do not
believe that the CMS layer in current S/MIME implementations exhibit the
behavior (or lack thereof) necessary to be immune from the attack against RSA
PKCS#1 v1.5.

When this topic came up the last time I posted the following summary of the

  [...] this attack requires that an attacker send you around a million pieces
  of CMS encrypted email with attached receipt requests, that you respond with
  a million receipts indicating to the attacker the exact details of why the
  decrypt failed, that you reuse the same per-message key for each of those
  million messages.

  Now maybe I'm being a bit optimistic here, but I do think that claiming this
  is a weakness is a pretty silly.  First of all you need to assume that an
  attacker can somehow send you a million pieces of email without you noticing
  and without it getting stopped by spam blockers.  Your own software then has
  to try to decrypt each of the one million pieces of email, find that it
  can't, and send out a receipt to the sender containing an indication of
  exactly how the decryption failed (this isn't possible even if you wanted to
  do it, although who knows what the Receipt Notification WG have been working
  on recently).  Finally, the whole attack only works if you reuse
  cryptovariables.  This is why the CERT advisory on this problem specifically
  points out "This vulnerability does not affect S/MIME or SET".

  As a security threat, I'd say this rates somewhere down with "Router hit by
  meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
  kidnapped by space aliens", and similar FUD.

Sure, it is in theory possible, if you try really, really hard and are willing
to bend over backwards to cooperate with an attacker, to allow this kind of
attack to occur.  However, abandoning a universally-implemented and used
standard mechanism for a different one on the basis of something like this just
doesn't make any sense.  You're more likely to get someone's key by asking them
for it (I've seen this happen a number of times, in some cases without even
needing to ask for it, by people who assume that "PKCS #12 == certificate" and
send out their "certificate" for others to use) than by using this kind of

Just because it's (theoretically) possible to break into Fort Knox with a can
opener doesn't mean that Kentucky is going to start screening people at the
border for possession of said item.


<Prev in Thread] Current Thread [Next in Thread>