Super-Encryption
Amir Herzberg
amir at herzberg.name
Thu Dec 18 03:31:01 EST 2003
At 16:36 17/12/2003, Matt wrote:
>Ben, Amir, et.al.
>
>I see that cipher1 has no transparent value. Therefore, the XML-Encrypted
>message see ( http://www.w3.org/TR/xmlenc-core/ ) must transport
>
>(1) symmetric_IV
>(2) Sign_RSA_Receiver_PK(symmetric_Key)
>(3) cipher
>(4) Sign_RSA_Sender(SHA1(message))
This is still not very good. Comments:
a. In (2) you obviously mean Encrypt_RSA not Sign_RSA
b. In (4) you again send the hash of the plaintext in the clear. As I
explained in my previous note, this is insecure, e.g. if plaintext is taken
from a reasonably sized set (which is common), attacker can find the
plaintext by hashing all the possible values. There are two fixes to this:
sign the encrypted message and public key (which we proved secure for most
PKCS including RSA) or encrypt the signed message (which may be vulnerable
to Krawczyk/Bleichenbacher's attacks).
c. Notice also (again as I wrote before...) that you don't achieve your
stated goal of identifying the intended receiver. This is also solved if
you sign the ciphertext and the receiver's public key, or simply sign the
identity of the receiver.
Anyway, I am repeating myself, so...
Best regards,
Amir Herzberg
Computer Science Department, Bar Ilan University
Lectures: http://www.cs.biu.ac.il/~herzbea/book.html
Homepage: http://amir.herzberg.name
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list