- From: Joseph Reagle <reagle@w3.org>
- Date: Fri, 24 May 2002 14:57:35 -0400
- To: Aaron Swartz <me@aaronsw.com>
- Cc: Mark Baker <distobj@acm.org>, xml-encryption@w3.org
On Friday 24 May 2002 14:36, Aaron Swartz wrote: > Doesn't this leak the fact that a PNG is encrypted? Is there any way to > include this metadata inside the encrypted data? It does. One could go down the alternative path of the EncryptedData being rather opaque: 1. The ciphertext when decrypted yields some sort of structure like: <cleartext xmlns="http://example.org/020524> <MimeType>image/png</MimeType> <base64enc-Object>cafebabe...</base64enc-Object> </cleartext> 2. and the application can then base64 decode to get the literal object that was encrypted. However, this complicates the processing a bit, and we've already had to confront the issue of an adversary having a sense of the data type and structure (particularly when you encrypted a element within an XML document, no avoiding it there!) with the realization that you have to choose good algorithms and can not rely on this obscurity for security. (However, it's not all that much more complex, and if someone really wanted to do something like this, they could support such an extension within the current framework using the Type attribute [2]). [2] http://lists.w3.org/Archives/Public/xml-encryption/2002Feb/0017.html -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Friday, 24 May 2002 14:58:06 UTC