Hi Peter,
The push back to why doesn't everyone just use signatures is when I have an
existing security mechanism like Kerberos which builds secure pair wise keys.
Kerberos shared secrets can establish mutual authentication providing both
parties demonstrate knowledge of the shared secret. I don't think the solution
is that complex. If I encrypt the MAC with the pair wise secret I achieve
mutual authentication. We use the same mechanism to learn the CEK, we just need
to do the same again to prove I know both the KEK and the MAC.
Trevor
-----Original Message-----
From: pgut001 [mailto:pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz]
Sent: Friday, May 09, 2008 6:26 AM
To: ietf-smime(_at_)imc(_dot_)org; ietf(_at_)augustcellars(_dot_)com;
pgut001(_at_)cs(_dot_)aucKland(_dot_)ac(_dot_)nz; Trevor Freeman
Subject: RE: weak authentication issue with rfc5083
"Jim Schaad" <ietf(_at_)augustcellars(_dot_)com> writes:
I believe you have misunderstood the issue that Trevor raised.
His problem is:
1. I send you and him a single Authenticated Message.
2. He takes the common CEK in the original message, uses it to create a MAC
on an new message and then sends it on to you.
As is always true with Authenticated messages, there is no proof of origin.
He worries that you might be confused and believe the second messages was
from me rather than from him. Since they both use the same CEK that is not a
factor that could be used to distinguish them.
Ah, OK, thanks. How serious a threat is this in practice though? Wouldn't
people just use asymmetric auth if they're worried about proof of origin? I
realise it's kind of an interesting problem to solve, but does it need solving
beyond a security considerations note "If you're seriously worried about proof
of origin use a signature"?
Peter.