W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2001

RE: Xenc Requirements req - comments on security and other issues

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Tue, 17 Apr 2001 12:18:45 +0300
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0523AA@IMP01>
To: "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
Jeremy, 
> But my main point remains.... how feasible is it for an 
> attacker (be they a
> dishonest signer, a dishonest recipient, or
> an attacker in the middle who's trying to foul the 
> relationship between the
> two) to mount such an attack presuming the types of 
> cryptosystems proposed
> for this standard?  

This depends mostly on the encryption scheme used. Some schemes which are
fine for encryption, including some `modes` are completely volunerable
against this attack (which is against the signature properties when the
verification of the signature is by showing the plaintext and encryption
key/process). So the caution is simply to warn the implementors not to use
such a system. I guess this means that if they want to use this mode, they
should understand a bit in cryptography to be sure they use an appropriate
encryption function (if we care to we can explicitly say that certain
encryption functions we specify seem to have this property). 

Best regards, 
Amir Herzberg
CTO, NewGenPay Inc.  

See our demo and overview/tutorials on secure e-commerce in
http://www.NewGenPay.com
Received on Tuesday, 17 April 2001 05:15:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT