PlayStation 3 predicts next US president

dan at dan at
Mon Dec 3 18:14:35 EST 2007

If on the one hand, the correct procedure is sign-encrypt-sign,
then why, on the other hand, is the parallel not sign-hash-sign ?



Donald T. Davis, "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML.", Proc. Usenix Tech. Conf. 2001 (Boston, Mass., June
25-30, 2001), pp. 65-78.(180 Kbytes) (PDF, 200 Kbytes) (HTML, 80 Kbytes)

Summary of the paper.

Simple Sign & Encrypt, by itself, is not very secure. Cryptographers
know this well, but application programmers and standards authors still
tend to put too much trust in simple Sign-and-Encrypt. In fact, every
secure e-mail protocol, old and new, has codified naïve Sign &
Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP,
PEM, and MOSS all suffer from this flaw. Similarly, the secure document
protocols PKCS#7, XML- Signature, and XML-Encryption suffer from the
same flaw. Naïve Sign & Encrypt appears only in file-security and
mail-security applications, but this narrow scope is becoming more
important to the rapidly-growing class of commercial users. With file-
and mail-encryption seeing widespread use, and with flawed encryption in
play, we can expect widespread exposures.

In this paper, we analyze the naïve Sign & Encrypt flaw, we
review the defective sign/encrypt standards, and we describe a
comprehensive set of simple repairs. The various repairs all have a
common feature: when signing and encryption are combined, the inner
crypto layer must somehow depend on the outer layer, so as to reveal any
tampering with the outer layer.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list