Re: Signing and Encryption from Joseph Ashwood on 2001-01-23 (xml-encryption@w3.org from January 2001)

From: Joseph Ashwood <jashwood@arcot.com>
Date: Tue, 23 Jan 2001 11:00:56 -0800
To: <xml-encryption@w3.org>
Message-ID: <051301c08570$955c9d40$2a0210ac@livermore>

----- Original Message -----
From: "Yongge Wang" <ywang@certicom.com>
> I am not sure which attack on RSA you are talking about. If you are
talking
> about Daniel Bleichenbacher's crypto 98 paper:
>      Chosen Ciphertext Attacks against Protocols Based on RSA Encryption
> Standard PKCS #1"
>      in Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: 1--12,
1998

I do not recall where it was given, or if it was even published, but the
issue was there and it caused the revision. Basically it was shown that by
choosing your RSA key pair, and keeping the factors of N, you could create
many different statements easily, with very real possibilities for fraud. As
was said one alternative to make this secure is to encrypt the key used
also.

> Though signature
> is different from MAC, but we should keep in mind that digital signature
> is an extension of MAC.

Actually they are very different in security meaning. In short a MAC is a
statement that a member of the group authenticates the statement, a
signature has very real legal meaning. It's the legal meaning that's causing
all the problems here, without any legal meaning a signature on the
encrypted data asserts the authenticity of the encrypted data, not what was
encrypted. Because of the legal meaning we now have to deal with a massive
number of other options.

What I think needs to happen is we need to assign exacting standards about
encapsulation and non-encapsulation with regard to signed and encrypted
data. This may take small changes to the signature standard, which I dislike
doing because it is basically finished, and it will take fine detail on our
part.

Perhaps we could get away with a defining our own canonicalization, defining
that the encryption/decryption key(s) be kept at the same level as the
encrypted data. Since the signature standard introduces additional layers of
XML a signature that did not contain both the encrypted data and the
encryption keys would invalidate the encryption, making the signed data
simply arbitrary random looking data, which is safe to sign with no
consequences. Any thoughts?
                        Joe

Received on Tuesday, 23 January 2001 14:13:52 UTC