Re: Possible weakness with signatures w/ encryption key info from merlin on 2001-08-06 (xml-encryption@w3.org from August 2001)

From: merlin <merlin@baltimore.ie>
Date: Mon, 06 Aug 2001 17:11:12 +0100
To: Amir Herzberg <AMIR@newgenpay.com>
Cc: xml-encryption@w3.org
Message-Id: <20010806161112.545AC43D32@yog-sothoth.ie.baltimore.com>

Hi Amir,

I'm not suggesting, for a moment, that those examples are meaningful
from a security perspective. They are not.

They are simply contrived syntactic examples of possible interest for
interop. They are more straightforward than encrypted data because the
plaintext verification is implicit in the signature verifying.

Nothing further is stated or intended.

Merlin

r/AMIR@newgenpay.com/2001.08.06/18:16:12
>Merlin sent very nice samples of signatures w/ encryption key info: 
>> . MAC key transported using RSA/OAEP
>> . MAC key agreed using Diffie Hellman
>> . MAC key wrapped using triple DES, decryption key fixed
>> . MAC key wrapped using triple DES, decryption key agreed 
>> using Diffie Hellman
>I have the following concern. These examples send the authentication (MAC)
>key encrypted (in different ways). However, to ensure authentication, the
>auth. key needs to be authenticated, not just secret... 
>
>The most extereme concern is with MAC key transported using RSA/OAEP. In
>this example, the auth key is encrypted with the recipient's public key -
>but not authenticated at all. If no additional authentication is performed,
>this appears insecure. 
>
>The three other examples send the MAC key encrypted using a key shared
>between the parties. Here, the concern is not as bad, but still exists.
>Specifically the encryption may be replayed, thereby causing the recipient
>to re-use an old MAC key. It is preferable that a key will be used only
>after verifying it is `fresh` (using time or nonce). 
>
>Best, Amir
>


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com

Received on Monday, 6 August 2001 12:11:56 UTC