RE: Integrity Checking Requirement was -> RE: HW Support and XML Enc ryption Requirements

>From pbaker@verisign.com Tue Feb 27 17:09:21 GMT 2001
>Good encryption & MAC schemes exist.
>
>However there is no need to treat such a scheme any differently than an
>encryption only scheme.
>
>The argument I was making is that the encryption algorithm and MAC method
>MUST be considered as a single unit. 
>

I'm not sure I follow your argument - I am proposing adding support for
MAC to XML-Encryption and you seem to be opposing that.

If we leave things as they are, and use XML-Signature to do MAC,
then we are in the `mix and match' state you deprecate.

We are also making it much more complex to implement and less
efficient to use than if we simply add MAC to our cipher suite specs.

>Note also that an authenticate & encrypt function is only valid if the
>symmetric key is authenticated by the recipient. If the symmetric key is
>simply recovered from an encrypted RSA blob there is no authenticity, the
>message could be faked by anyone.

You are entirely correct about this of course: no message authentication
without sender authentication. This is true whether the MAC is in
XML-Encryption or done using XML-signature.

It is possible for a user to do insecure things whether MAC is
in XML-Encryption or not - so that argument cannot be used 
against supporting MACs.

Do you have a specific reason to oppose supporting MAC in the
encryption cipher suites in XMl-Encryption?
One that does not apply if we just tell people to use XML-Signature?

Mike Wray (mjw@hpl.hp.co.uk)

Received on Thursday, 1 March 2001 16:57:18 UTC