[Top] [All Lists]

RE: Ordering of encryption and signing of a S/MIME message

2002-10-21 01:13:33


For security reasons, you should first sign your message and then encrypt it 
with the recipient's public key. If you perform the the reverse operation 
(encrypt then sign), then a threat agent may  
intercept you message, skip your signature and sign "your encrypted" message. 
So the recipient will hence receive a signed message from the threat agent and 
no more from you.


Malek Bechlaghem
e-Security Product Development Manager
Tel.: +32 2 202 79 02
Fax: +32 2 202 41 06
E-mail: malek(_dot_)bechlaghem(_at_)belgacom(_dot_)be

-----Original Message-----
From: Bernd Matthes [mailto:bernd(_dot_)matthes(_at_)gemplus(_dot_)com]
Sent: 17 October 2002 16:22
To: ietf smime
Cc: Matthias Genkel; Dr. Stephen Henson
Subject: Q: Ordering of encryption and signing of a S/MIME message

Hi to all!

My Question is:
Is it useful a message as first to encrypt and 
then to sign the encrypted result,
in example the encapsulatedData of a pkcs7SignedData structure 
is a pkcs7encrypted data structure?
I know, it's senseless... ;-) but i found nothing in the standards.
Is there any sensible reason against this procedure(i hope so)?

thanks in advance.

with kind regards
Bernd Matthes                   Gemplus mids GmbH --
Senior Software Engineer           formerly Celo Communications GmbH
Dipl.-Ing.(FH)                  R&D Center Germany
"Complexity breeds bugs. Bugs prevent adoption, lack of" \
"adoption results in death. Death not good." "Life sucks."

**** DISCLAIMER **** 
"This e-mail and any attachments thereto may contain information 
which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, 
total or partial reproduction, communication or distribution in any form) 
by persons other than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either 
by telephone or by e-mail and delete the material from any computer. 
Thank you for your cooperation."

<Prev in Thread] Current Thread [Next in Thread>