Alicia da Conceicao <alicia(_at_)engine(_dot_)ca> writes:
For CMS EnvelopedData, it would be very useful to have an
UnprotectedAttribute containing a DigestInfo (as defined in PKCS#1) with a
hash of the encrypted data.
DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithm,
digest OCTET STRING }
I proposed something like this a while back to get around the patent mess
surrounding the encrypt+authenticate modes of operation, and the response was
pretty underwhelming. Specifically though, you want a MAC, not a digest, to
protect the content. PGP uses a straight hash, but protects it by encrypting
it alongside the content. If you use a hash then besides the obvious weakness
of not protecting it from modification, you also leak information about the
content in the hash.
This would be essential when the encrypted data is detached from the CMS
EnvelopedData structure, which occurs when the optional encryptedContent is
not present. If one has either the detached encrypted data or the CMS
EnvelopedData, then this hash would greatly assist in finding a match for the
other.
OK, that's a quite different use for what I was proposing it for - I was after
integrity protection of the content. This is something that no current CMS
mechanism provides, but which a great many users expect as being provided when
they use encryption (see Simpson Garfinkel's thesis). Adding a MAC as PGP has
would ensure that the behaviour of a CMS envelope met user's expectations.
Peter.