论文信息 - Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML

Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML

Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt. In fact, every secure e-mail protocol, old and new, has codiied na ve Sign & Encrypt as acceptable security practice. MOSS all suuer from this aw. Similarly, the secure document protocols PKCS#7, XML-Signature, and XML-Encryption suuer from the same aw. Na ve Sign & Encrypt appears only in le-security and mail-security applications, but this narrow scope is becoming more important to the rapidly-growing class of commercial users. With le-and mail-encryption seeing widespread use, and with awed encryption in play, we can expect widespread exposures. In this paper, we analyze the na ve Sign & Encrypt aw, we review the defective sign/encrypt standards, and we describe a comprehensive set of simple repairs. The various repairs all have a common feature: when signing and encryption are combined, the inner crypto layer must somehow depend on the outer layer, so as to reveal any tampering with the outer layer.

Don Davis | Donald T. Davis

[1] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2] Philip Zimmermann,et al. A Proposed Standard Format for RSA Cryptosystems , 1986, Computer.

[3] John Linn,et al. Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures , 1989, RFC.

[4] Martín Abadi,et al. A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[5] Chris Mitchell,et al. Security defects in CCITT recommendation X.509: the directory authentication framework , 1990, CCRV.

[6] John Linn,et al. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures , 1987, RFC.

[7] John T. Kohl,et al. The Kerberos Network Authentication Service (V5 , 2004 .

[8] Ross J. Anderson,et al. Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[9] Philip R. Zimmermann,et al. The official PGP user's guide , 1996 .

[10] Martín Abadi,et al. Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[11] Ernest F. Brickell,et al. Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.