Re: question about crypted large ammout of data inside XML from Joseph Ashwood on 2002-03-21 (xml-encryption@w3.org from March 2002)

From: Joseph Ashwood <ashwood@msn.com>
Date: Wed, 20 Mar 2002 17:56:42 -0800
To: "Nedelcho Stanev" <nstanev@syntrex.com>, <xml-encryption@w3.org>
Message-ID: <018701c1d07b$bc625400$6401a8c0@josephas>

----- Original Message -----
From: "Nedelcho Stanev" <nstanev@syntrex.com>
To: <xml-encryption@w3.org>
Sent: Wednesday, March 20, 2002 8:05 AM
Subject: question about crypted large ammout of data inside XML

[encrypt and sign excessively large files]

IIRC this shouldn't be too hard to do. I'll be abbreviating everything for
the sake of viewing ease. I believe the end result XML will look something
like (assuming the encryption is completely transparent):

<encrypted>
<signed>
      <data>
          .....
        </data>
        <hash>...</hash>
        <signature>...</signature>
</signed>
</encrypted>

This can be done in a single disk pass, as follows. I'll be using a pipe
metaphore because it is truly convenient for this. The signature pipe needs
to be designed in such a way that the first pull from the pipe return
"<signed><data>" followed by any data that has been pushed in the other end.
At the same time this pipe updates probably SHA-1 based on everything that
has been pushed in. The encryption pipe then takes all the output from the
signature pipe and encrypts it. Once the end of the data has been reached
simply trigger completion of the signature pipe, which will complete the
hash, generate the signature, wrap it all up nicely, and put it at the input
of the encryption pipe. If the encryption pipe is done is such a way that it
does not have to complete before data can be read out (vital for excessively
large files) this should work quite easily.

This may sound like a bit of a strange way to go about things, but there is
a security reason for it. The signature has to be either inside or
simultaneous with the encryption, otherwise it may be possible to change
keys of the encryption and as a result selectively alter the plaintext. This
is easiest to see when working with an XOR-based OTP, where by changing the
key you get every possible output. Additionally in some cases it is possible
to change private keys of RSA to perform some of these gymnastics. To avoid
these problems it is vital to always sign before encryption.
                    Joe

Received on Wednesday, 20 March 2002 20:58:01 UTC