Re: Signing and Encryption from Joseph Ashwood on 2001-01-26 (xml-encryption@w3.org from January 2001)

From: Joseph Ashwood <jashwood@arcot.com>
Date: Thu, 25 Jan 2001 16:16:50 -0800
To: <xml-encryption@w3.org>
Cc: "'Takeshi Imamura'" <IMAMU@jp.ibm.com>
Message-ID: <01cf01c0872d$4d047630$2a0210ac@livermore>

----- Original Message -----
From: "Takeshi Imamura" <IMAMU@jp.ibm.com>
To: "Joseph Ashwood" <jashwood@arcot.com>
Cc: <xml-encryption@w3.org>

> >If this signature does not verify
> >with the ciphertext still encrypted it should be considered tampered with
> >(although at a later date it may be untampered through the removal of the
> >encryption).
>
> According to [1], encryption after signing requires signature value to be
> encrypted.  If doing so, we don't have to try to verify signature.  This
is
> because we can see whether signature contains encrypted data by examining
> whether signature value is encrypted.
>
> Anyway, this solution raises another problem.  If signature contains
> multiple encrypted data, how do we distinguish encrypted data before
> signing and ones after signing?

We don't, because of the above rule [1], any information that is signed if
any portion of it is later encrypted the entire signed data (including
signature) needs to be encrypted, otherwise you are altering the data, which
should and will invalidate the signature.

> >3.7 The EncryptedReference element
> >
> >The EncryptedReference element provides a way to indicate
> >that data, over which an XML Digital Signature (xmlns:ds) has
> >been computed, was encrypted.  In essence, it indicates the data
> >should not be decrypted prior to signature verification.
> >This element may only appear within a ds:Reference element
> >within a ds:Signature element. ...

If we maintain a strict definition of encryption with regard to signing, in
such a way that encryption of a portion of the signed data without
encrypting the entire signed contents and signature invalidates the
signature, then this rule becomes unnecessary, from the simple fact that any
encryption added to the signed data that does not include the signature
itself tampers with the signature data, and therefore invalidates the
signature.

Basically I'm just siggesting that the rule be that if the signed data is
altered in any way, the signature should become mathematically invalid (this
includes anyone encrypting portions of it). This is the general intention
with signatures anyway, we are simply considering changing the rule when
encryption becomes involved. I'm sorry but as a cryptanalyst I can see no
reason to introduce an extra rule that may by it's presence weaken the
encryption and signature.
                            Joe

> [1] http://lists.w3.org/Archives/Public/xml-encryption/2001Jan/0072.html
> [2]
>
http://lists.w3.org/Archives/Public/xml-encryption/2000Dec/att-0024/01-XMLEn
cryption_v01.html
>

Received on Thursday, 25 January 2001 19:17:06 UTC