- From: Mike Wray <mjw@hplb.hpl.hp.com>
- Date: Mon, 26 Feb 2001 09:31:31 -0500 (EST)
- To: Paul.Lambert@cosinecom.com
- Cc: xml-encryption@w3.org
Resent-Date: Fri, 23 Feb 2001 22:11:56 -0500 (EST) >From: Paul Lambert <Paul.Lambert@cosinecom.com> > # On Integrity Checking > >I propose that "integrity" requirements be added: > >x. The specification must provide mechanisms to check the integrity of >decrypted data. Mandatory to implement algorithms should include integrity >check mechanisms. > > >Integrity is a critical service. There are a variety of attacks possible if >the veracity of decrypted information is not validated. This validity check >should be mandatory. > >Digital signatures provide integrity and could be used within an >EncryptedData element. This is overkill. All that is needed is a more >simple mechanism (checksum, MAC or know value) to reliably indicate that the >decryption process was successful. > I strongly support the suggestion of requiring support for data integrity checking in XML-Encryption. In fact I was about to propose exactly this myself. We should at least mandate something like HMAC-SHA1. This is easy to implement, and removes the necessity to implement XML-signature just to get integrity checking (which is overkill as Paul says). The encryption step has to reduce XML to bytes for the cipher, and it is easy to add a MAC at this point (and check on decode). It would probably be a good idea to go as far as saying that MAC is included by default in the encryption transform. People often assume that encryption alone is enough, and that when encrypting you don't need integrity checks - which can lead to nasty flaws. It's safer to always include a MAC when encrypting. Mike Wray (mike_wray@hp.com)
Received on Monday, 26 February 2001 09:51:47 UTC