crypto flaw in secure mail standards
Charlie_Kaufman at iris.com
Charlie_Kaufman at iris.com
Mon Jun 25 11:36:12 EDT 2001
>In fact, every secure e-mail
>protocol, old and new, has codified naïve Sign & Encrypt
>as acceptable security practice. S/MIME, PKCS#7, PGP,
>OpenPGP, PEM, and MOSS all suffer from this flaw.
Actually, that's not true. The encrypted and signed email
functionality contained in Lotus Notes encrypts only body
fields and attachments, but signs the To:, From:, CC:,
Subject:, and TimeSent fields as well. And Lotus Notes predates
most if not all of the "standard" protocols.
I wouldn't call this a cryptographic flaw. I'd call it a flaw
in cryptographic engineering. And it's not a flaw borne out of
ignorance. The designers of the standard protocols knew about
the problem (I was there for some of them), but didn't think
their proposed standard would be acceptable if it "committed
layer violations" by extending signature coverage to data not
contained in their "layer". This is a classic example of
something a competent engineer can get right, but which a suite
of committees can't.
--Charlie Kaufman
(ckaufman at iris.com)
p.s. Ironically, Lotus Notes is transitioning from its
proprietary email format to S/MIME and trying to figure out how
to make it clear to customers that when they use the new
format, they don't get the protection they may have gotten used
to.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list