Re: Fwd: Surreptitious Forwarding from Don Davis on 2001-07-27 (xml-encryption@w3.org from July 2001)

From: Don Davis <dtd@world.std.com>
Date: Thu, 26 Jul 2001 23:14:17 -0400
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: "XML Encryption WG " <xml-encryption@w3.org>, dtd@world.std.com
Message-Id: <l03110701b7867f16ed2e@[208.192.101.175]>
>> After further discussion, the group agrees to include a
>> statement akin to, "the presence of encryption does not imply
>> anything about integrity or authenticity of the message" and
>> include a reference to those sections ("see what you sign")
>> of xmldsig; add a sentence in XML-dsig with this recipient
>> issue as an example. ...

hi, joseph--

thank you for writing, but i'm sorry, neither of the
alterations makes the correct point, which is:

   In a signed-and-encrypted message, there's no
   assurance that the signer and the encryptor are
   the same person, so there's no assurance that
   the signer intends for the decryptor to see the
   message.

in particular, your alteration for XML-Sig seems to suppose
that i've pointed out that cleartext recipient-headers are
insecure, since they haven't been signed.  this is not my
point, though.  instead, my paper, and the attack, make no
reference to the recipient-header.  indeed, the attack is
effective only if the user supposes that the inner signature
somehow authenticates the outer envelope.  it's only this
false supposition, not the unsigned recipient-header, that
misleads the user to believe that the message was securely
addressed to him.

as proof of my claim that the cleartext recipient-header
is unimportant to the attack, suppose:

   * the signed-and-encrypted message bears no cleartext
     recipient-header, but is only a naked ciphertext,
   * the recipient is told verbally, by an anonymous
     telephone-call, that the message was encrypted with
     his public-key.
   * then the recipient can attempt the decryption, which
     will succeed;
   * inside, he'll find a signed plaintext and (let's
     suppose) the signer's certificate;
   * when he verifies the signature, he finds it valid.

then, a nonspecialist recipient will tacitly, naturally,
and incorrectly assume that the signer encrypted the message
for this recipient to see.  the recipient believes this, not
because he trusts the anonymous phone-call, but because the
recipient is a non-specialist, and trusts the cryptography
blindly and uncritically.

actually, i'm grateful for the opportunity to correct this
particular misunderstanding, because i've heard it many
times by now, but this is the first time i've fully realized
what i hadn't emphasized properly:  it's the decryption, not
the recipient-header, that _seems_ to identify the recipient.

now, i'd like to suggest minor adjustments of your cautionary
texts.

Instead of:

   "the presence of encryption does not imply anything
    about integrity or authenticity of the message"

I'd suggest:

   "the presence of encryption does not imply anything
    about integrity or authenticity of the ciphertext"

for Xml-Enc, I'd suggest:

   "Also, recipients of encrypted messages must remember
    that encryption itself does not imply anything about
    the integrity or authenticity of the ciphertext."

for XML-Sig, I'd suggest:

   "Second, a ciphertext envelope containing signed
    information is not secured by the signature.
    For instance, when an encrypted envelope contains
    a signature, the signature does not protect the
    authenticity or integrity of the ciphertext, even
    though the signature does protect the integrity
    of the plaintext."

thanks again, and very much, for writing.

					- don davis, boston






>Forwarded Text ----
>>Date: Wed, 25 Jul 2001 15:56:27 -0400
>>To: "XML Encryption WG " <xml-encryption@w3.org>
>>From: "Joseph M. Reagle Jr." <reagle@w3.org>
>>Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
>>Subject: Surreptitious Forwarding
>>
>>Completing an action item from last week's xmlenc f2f:
>>
>>http://www.w3.org/Encryption/2001/Minutes/0720-Redwood/minutes.html#forwarding
>>
>>>After further discussion, the group agrees to include a
>>>statement akin to, "the presence of encryption does not imply
>>>anything about integrity or authenticity of the message" and
>>>include a reference to those sections ("see what you sign") of
>>>xmldsig; add a sentence in XML-dsig with this recipient issue as an
>>>example. Action Reagle: do the edits to xmlenc and
>>>xmldsig specs.
>>
>>
>>Encryption now reads:
>>http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/Overview.html#sec-Securit
>>y
>>
>>>6.1 Relationship to XML Digital Signatures
>>...
>>>Also, recipients of encrypted messages must remember that
>>>encryption itself does not imply anything about the integrity or
>>>authenticity of that data [XMLDSIG, 8.1.1 Only
>>>What is Signed is Secure].
>>
>>
>>DSig now reads:
>>http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html#sec-Secure
>>
>>Second, information that is not signed but part of an
>>envelope containing signed information is obviously not secured.
>>For instance, unsigned recipient headers accompanying signed
>>information within an encrypted envelope does not have its authenticity or
>>integrity protected.
>>
>>--
>>Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
>>W3C Policy Analyst                mailto:reagle@w3.org
>>IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
>>W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>End Forwarded Text ----
Received on Friday, 27 July 2001 09:11:02 UTC