Re: Combining signing and encrypting from priewe@darmstadt.gmd.de on 2000-11-28 (xml-encryption@w3.org from November 2000)

From: <priewe@darmstadt.gmd.de>
Date: Tue, 28 Nov 2000 14:01:57 +0100
To: hal@finney.org, xml-encryption@w3.org
Message-ID: <OF3A6931C0.2032A7A7-ONC125699F.00782621@LocalDomain>

hal@finney.org wrote:
>David Solo, david.solo@citicorp.com, writes:
>> At the workshop, I promised to send a couple paragraphs on minimum
>> requirements around handling documents with both encryption and 
signatures
>> (sorry about the delay, I've been moving and on vacation).
>>
>> In general, both signature and encryption operations may be performed 
on
>> an XML document.  Depending on the usage case (see below), a signature
>> may be applied to plaintext or ciphertext portions of documents.
>> To verify a signature, the recipient must know whether to decrypt
>> before or after signature verification (possibly differently for
>> different encrypted portions).  In order to enable efficient and
>> automated signature validation, a goal of the design should be to allow
>> well-behaved applications to indicate to the verifier/recipient how
>> to unambiguously figure out in which order to perform decryption and
>> signature validation operations (ill-behaved applications may always 
cause
>> things to break). [Note: the suggestion is to add this last sentence to
>> the requirements document.]
>
>One approach would be, when signing before encrypting, to always encrypt
>the signature block along with the data being encrypted. 

We support this approach for sign/crypt, because we think that it is a 
kind of attack if a signature
for enrypted data can be removed without being noticed. 
(See 6.1 of our Req-Doc: 
http://lists.w3.org/Archives/Public/xml-encryption/2000Nov/att-0004/01-enc-requirements_2000-10-31.html)

>This is good for
>two reasons.  First, since the sig can't be verified without decrypting
>the data, you might as well do this.
>
>Second, if you don't do this, the signature may leak information about
>the data being encrypted.  In particular it allows for guesses at the
>content of the encrypted data to be confirmed.
>
>Hal Finney PGP Security

Combining sig and crypt becomes even more important, as we want to reuse 
XML-Signatures to guarantee  integrity 
of the encrypted data and don't want to define how to create something 
like a HMAC within XML-Encryption.
So thats a matter of crypt/sign in this case.
Should we provide a mechanism that guarantees that an 
outer signature can't be removed without being noticed, too?


Arne Priewe

Received on Thursday, 30 November 2000 13:37:57 UTC