W3C home > Mailing lists > Public > xml-encryption@w3.org > August 2000

RE: encryption in XML & in SMIME

From: Ed Simon <ed.simon@entrust.com>
Date: Mon, 28 Aug 2000 18:21:56 -0400
Message-ID: <3120721CA75DD411B8340090273D20B10C1B7B@sottmxs06.entrust.com>
To: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>
Cc: "'Don Davis'" <dtd@world.std.com>, xml-encryption@w3.org, don@MIT.EDU, "Ralph R. Swick" <swick@w3.org>, reagle@w3.org
I did perhaps make the sample a little too sparse but I was
working on the assumption, which I think is correct, is that
a number of those looking at this question are not too familiar
with XML Signature.  However, I will describe with more words what
is happening.

<Signature>
...
<EMail>
<To>Captain Kirk</To>
<From>Starfleet Command</From>
<StarDate>2435CE January 19 11:22:33.44 UCT</StarDate>
<Subject>Romulan invasion fleet</Subject>
<Message><Encryption>MIIxyz...</Encryption></Message>
</EMail>
...
</Signature>

In the sample above, I meant to imply that the entire <EMail>
element is signed so that if you change
"<From>Starfleet Command</From>" to
"<From>Moon Zero Two</From>",
the signature breaks.  An email
application that intends the sender and signer to be the same
will specify the signer's identity in the <From> element.

Now I think you (Stephen) are saying, that Moon Zero Two could
still take the encrypted <Message> element and create this
(with Moon Zero Two's signing key):

<Signature>
...
<EMail>
<To>Captain Kirk</To>
<From>Moon Zero Two</From>
<StarDate>2435CE January 19 11:22:33.44 UCT</StarDate>
<Subject>Romulan invasion fleet</Subject>
<Message><Encryption>MIIxyz...</Encryption></Message>
</EMail>
...
</Signature> 

which would make it look like Moon Zero Two sent the encrypted
<Message>.  Moon Zero Two doesn't have to know what the plaintext
version of the message says in order to apply its signature to the
encrypted form.  I agree that this is true.

So let's say Starfleet Command doesn't want 3rd parties doing this
kind of thing to its <Message>s.  It would then need to sign the 
<Message> element's contents as well before encrypting.  I take it 
this is the  "sign/wrap/sign" solution mentioned in Don's email.  
Moon Zero Two can still try passing off the encrypted message as its 
own but a properly designed application will indicate the message came from
Starfleet Command and was simply forwarded by Moon Zero Two.

Don then says why he feels "sign/wrap/sign" is unsatisfactory in
S/MIME because the sender and target info isn't signed in S/MIME.
(Don, am I stating what you said correctly?)

However, in the "sign/wrap/sign" solution I'm suggesting, the
<To> and <From> elements are signed by the same entity that signed
the content of the <Message> element before encrypting it.

That way one can keep <KeyInfo> unsigned and still solve the problem.
Right?

If Stephen, you are suggesting there is a potential security flaw in XML
Signature because <KeyInfo> is not signed, then we should start
including "w3c-ietf-xmldsig@w3.org " on this discussion.

Ed
-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
Sent: Monday, August 28, 2000 5:08 PM
To: Ed Simon
Cc: 'Don Davis'; xml-encryption@w3.org; don@MIT.EDU; Ralph R. Swick;
reagle@w3.org; xme
Subject: Re: encryption in XML & in SMIME



Ed,

Not enough detail to say, (you didn't show where the signature
bits are), but assuming they're outside the EMail then...

<Signature>
...
<EMail>
<To>Captain Kirk</To>
<From>Starfleet Command (Dublin)</From>
<StarDate>2435CE January 19 11:22:33.44 UCT</StarDate>
<Subject>Romulan invasion fleet</Subject>
<Message><Encryption>MIIxyz...</Encryption></Message>
</EMail>
...
</Signature>

Still says whatever it says, even if the Dublin starfleet folks
have no idea what it says. This is independent of XML (and any
other representation) - basically you can steal ciphertext if
the signature's on the outside.

One way 'round this is to include the keyInfo inside the 
plaintext and for the recipient to know to compare that to
the keyInfo actually used to verify the signature. If they
match then the encryptor and signer are the same, otherwise
not.

One potential XML advantage would be if the signature bits
and keyInfo could be inside the Encryption...maybe someone
can figure that transform!

Stephen.


-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane,                    fax: +353 1 647 7499
Dublin 2.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com
Received on Monday, 28 August 2000 18:27:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:17 GMT