Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
I do not think that we are being gratuitous. I think that it is good security
practice to remove any toe-hold that an attacker has. Further, I do not
believe that the CMS layer in current S/MIME implementations exhibit the
behavior (or lack thereof) necessary to be immune from the attack against RSA
PKCS#1 v1.5.
When this topic came up the last time I posted the following summary of the
situation:
[...] this attack requires that an attacker send you around a million pieces
of CMS encrypted email with attached receipt requests, that you respond with
a million receipts indicating to the attacker the exact details of why the
decrypt failed, that you reuse the same per-message key for each of those
million messages.
Now maybe I'm being a bit optimistic here, but I do think that claiming this
is a weakness is a pretty silly. First of all you need to assume that an
attacker can somehow send you a million pieces of email without you noticing
and without it getting stopped by spam blockers. Your own software then has
to try to decrypt each of the one million pieces of email, find that it
can't, and send out a receipt to the sender containing an indication of
exactly how the decryption failed (this isn't possible even if you wanted to
do it, although who knows what the Receipt Notification WG have been working
on recently). Finally, the whole attack only works if you reuse
cryptovariables. This is why the CERT advisory on this problem specifically
points out "This vulnerability does not affect S/MIME or SET".
As a security threat, I'd say this rates somewhere down with "Router hit by
meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
kidnapped by space aliens", and similar FUD.
Sure, it is in theory possible, if you try really, really hard and are willing
to bend over backwards to cooperate with an attacker, to allow this kind of
attack to occur. However, abandoning a universally-implemented and used
standard mechanism for a different one on the basis of something like this just
doesn't make any sense. You're more likely to get someone's key by asking them
for it (I've seen this happen a number of times, in some cases without even
needing to ask for it, by people who assume that "PKCS #12 == certificate" and
send out their "certificate" for others to use) than by using this kind of
attack.
Just because it's (theoretically) possible to break into Fort Knox with a can
opener doesn't mean that Kentucky is going to start screening people at the
border for possession of said item.
Peter.