Trevor Perrin <Tperrin(_at_)sigaba(_dot_)com> writes:
If the encrypted digest is attached as an unprotected attribute, it could be
removed by an adversary, presumably? In which case, since the recipient would
have to know how to handle CMS messages either with or without the encrypted
digest for backwards compatibility, the recipient wouldn't notice anything
amiss. So maybe that's an argument for the digest to be inside the
envelopedData encryption, not as a separate thing.
You can't prevent a rollback attack, since you need to integrity-protect the
fact that integrity-protection is being used, which is a catch-22. The fix
would be something like what was done in SSLv3 which messes with the RSA-
wrapped key data to include the version, but this is incredibly ugly for CMS
which can't assume PKCS #1 RSA padding. I was just assuming that the MDC would
be by prior arrangement, and the recipient would reject any messages without
the MDC - for the EDI application, this is the standard way to handle message
exchange.
Peter.