- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Mon, 6 Aug 2001 18:16:12 +0300
- To: "'merlin'" <merlin@baltimore.ie>, xml-encryption@w3.org
Merlin sent very nice samples of signatures w/ encryption key info: > . MAC key transported using RSA/OAEP > . MAC key agreed using Diffie Hellman > . MAC key wrapped using triple DES, decryption key fixed > . MAC key wrapped using triple DES, decryption key agreed > using Diffie Hellman I have the following concern. These examples send the authentication (MAC) key encrypted (in different ways). However, to ensure authentication, the auth. key needs to be authenticated, not just secret... The most extereme concern is with MAC key transported using RSA/OAEP. In this example, the auth key is encrypted with the recipient's public key - but not authenticated at all. If no additional authentication is performed, this appears insecure. The three other examples send the MAC key encrypted using a key shared between the parties. Here, the concern is not as bad, but still exists. Specifically the encryption may be replayed, thereby causing the recipient to re-use an old MAC key. It is preferable that a key will be used only after verifying it is `fresh` (using time or nonce). Best, Amir
Received on Monday, 6 August 2001 11:12:25 UTC