Re: Signing and Encryption from Joseph Ashwood on 2001-01-24 (xml-encryption@w3.org from January 2001)

From: Joseph Ashwood <jashwood@arcot.com>
Date: Wed, 24 Jan 2001 11:05:30 -0800
To: <xml-encryption@w3.org>
Message-ID: <082401c08638$aa6a5600$2a0210ac@livermore>

From: "Takeshi Imamura" <IMAMU@jp.ibm.com>
> Joseph,
>
> >The attached signatures are a different matter, it needs to be verified
> >that the granularity of the encryption is such that if the data to be
> >signed is signed at a higher level the encryption needs to take place at
> >the higher level. The lower level case we don't need to concern ourselves
> >with, we will afterall be encrypting the signature along with it
> >(provided it is attached).
>
> Sorry, but I didn't follow these sentences.  Could you explain what
"higher
> level" and "lower level" mean with examples?

Certainly I can, you can easily consider them as outer and
inner.Specifically I meant (I am using encrypted and signed tags because I
feel they are clear in this context):
<Level 1>
    <Encryption Key data>...</Encryption Key data>
    <encrypted>
        <signed>
        </signed>
    </encrypted>
</level 1>

Is clear because the signature tags cannot be viewed before decryption, so
there is no ambiguity.

On the contrary:
<level 1>
    <signed>
        <encryption key data></>
        <encrypted>
        </encrypted>
    </signed>
</level 1>

May or may not be a tampered system. It is not as clear because the contents
of the encrypted tags may have been encrypted before or after the signature
took place. I do not consider this ambiguous because the presence of the
encrypted key data tags shows that the intent was for the encrypted data to
be signed (as opposed to the clear data). If this signature does not verify
with the ciphertext still encrypted it should be considered tampered with
(although at a later date it may be untampered through the removal of the
encryption).

Further
<level 1>
    <encryption key data></>
    <signed>
        <encrypted>
        </encrypted>
    </signed>
<level 1>

Is an ambiguous state. Because of the issues with unsigned encryption keys
governing signed ciphertext, this state should be considered invalid, and I
believe it should be noted as such. The other possibility of having a
partial signing before partial encryption is completely ambiguous, and the
creation of such a beast would (I think) violate the signature spec making
the signature invalid.

I suppose we could simply set the rule that if signature tags are visible
they take precedence. I think that would be a simple enough convention, and
would remove all ambiguity.
                    Joe

Received on Wednesday, 24 January 2001 14:06:07 UTC