Trevor Freeman <trevorf(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com> writes:
However when the integrity of the message is validated via the message HMAC,
the sender only demonstrates knowledge of the CEK to the recipient.
Any other recipient knows the CEK so can construct another message using the
same CEK and compute the new HMAC and reuse the encrypted KEK data from the
original message. For example:
Uhh, AuthEnv doesn't specify any use of HMAC, it can be used with HMAC if
required (the other use is with a combined MAC+encrypt mode), but in the HMAC
usage the HMAC and CEK keys are derived from a single key using a PRF, so
knowledge of the CEK doesn't give you the HMAC key, and vice versa. It was
specifically designed that way to prevent rollbacks where you strip off the
MAC and rewrite it as plain encrypted data. Or have I misunderstood your
point?
Peter.