[Top] [All Lists]

RE: digested-data, surreptitious forwarding, D-H

2002-07-28 15:45:53

Interesting, I'd assumed that you could do multiple layers (like a
digestedData and envelopedData, or signedData and envelopedData) in a single
pass, by hashing and then encrypting each content block, then moving to the
next one, etc..  You're saying that this isn't possible, but the scheme
below can be done in one pass?

-----Original Message-----
From: pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz 
Sent: Saturday, July 27, 2002 11:20 PM
To: Tperrin(_at_)sigaba(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: Re: digested-data, surreptitious forwarding, D-H

Trevor Perrin <Tperrin(_at_)sigaba(_dot_)com> writes:

1) I'm surprised S/MIME doesn't use CMSs' digested-data with
In the case of encrypted but not signed mails, doesn't this leave the
vulnerable to things like cut-and-paste attacks (where an attacker reorders
ciphertext blocks, so upon decrypting the recipient sees reordered

Funny you should mention that, I was discussing this recently with someone
was quite concerned about this (they were FTP'ing large encrypted EDI
around).  What they wanted was a modification to EncryptedData to include a
hash inside the encrypted content, rather than DigestedData, which would
require a second pass (they encrypt the content as they stream it in and
so anything requiring two passes is a non-starter).  I have the feeling that
more people would be asking for this if they had any idea that encryption
doesn't guarantee integrity protection.

My suggestion was to put it in as an unprotectedAttrs, just encrypting the
after the content.  In other words, hash the data before you encrypt it,
after you've finished encrypting the data encrypt the hash and store it as
unprotectedAttrs.  This is a bog-standard way of appending an MDC to the
and is compatible with the existing format.  The MDC info is put in as
originatorInfo, which is a bit of a kludge but seems to be the sensible
for it.  This would need a new originatorInfo type, but that's the only

If there's any support for this sort of thing, I could crank out an
informational RFC for this fairly quickly.