Thanks Mike,
Will add words to that effect.
Stephen.
Mike Just wrote:
Hi Stephen, Sean,
Possibly another item worth including in the Security Considerations section.
Suppose MSG1 is sent
to a set S1 of users. In the case where MSG2 is sent to only a subset of
users in S1, all users
from S1 will still be able to decrypt MSG2 (since MSG2.KEK is computed only
from MSG1.CEK). I
don't think you intended for your solution to be used for such dynamic
recipient sets, but it
might be worth explicitly mentioning this unfortunate side-effect of key
re-use in any case.
(Might be enough to mention that the recipient lists must be the same for
each message.)
Mike J.
--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 881 6716
39 Parkgate Street, fax: +353 1 881 7000
Dublin 8. mailto:stephen(_dot_)farrell(_at_)baltimore(_dot_)ie
Ireland http://www.baltimore.com