If I'm reading this right, the attack converts a signed-then-encrypted message
into encrypted-then-signed by exploiting the use of CBC mode. The attacker
deletes, moves, or alters encrypted message blocks (excepting blocks with pad
bits) such that most of the message still decrypts into readable text but the
inner signature breaks. Then he applies his own outer signature.
Because the S/MIME spec requires clients to accept both types of messages and
parsing of structures is lax, the recipient will accept the altered message.
If the recipient replies, he often will include the original message content as
a quoted section, and confidentiality is lost.
OpenPGP forbids encrypt-then-sign (no format for it), so it's not vulnerable.
-- T
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime