At 05:01 PM 5/5/2003 -0700, Trevor Perrin wrote:
Hello S/MIME,
I'm curious what this group thinks about adopting an
authenticated-encryption cipher mode, such as:
EAX:
https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00223.html
CWC:
https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00224.html
Such a mode could integrity-protect S/MIME encrypted-only messages. It
could also defend against an oracle attack on signed-then-CBC-encrypted
messages. I'm not sure this attack is well known, so I'll describe it:
If the plaintext is a sequence of blocks P[1],P[2],.., and the ciphertext
is a sequence of blocks where C[0] is the IV, followed by C[1],C[2],..,
then we assume the attacker wants to verify a guess G for P[X], and knows
the value of P[1] (the first blocksize bytes of the ContentInfo containing
SignedData, which is just well-known ASN.1 header).
The attacker copies C[X] over C[1], and sets C[0] = G xor C[X-1] xor
P[1]. If his guess is correct, then the new ciphertext C[1] will decrypt
to the same plaintext P[1] it would have without his modifications - if
his guess if wrong, the decrypted P[1] will have bit errors, which will
probably cause an error in the recipient's software.
well, I got this wrong - whether the attacker's guess is right or wrong,
P[2] will also be damaged. Whether the attacker can differentiate these
failures, or other similar parsing failures he can induce by rearranging
blocks (i.e. by copying C[X] over some other block besides C[1]), I suppose
is implementation-dependent, or at least difficult to work out..
authenticated-encryption would at least remove any concerns on these lines.
Trevor