Defective Sign
& Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML
by
Don Davis
in Proceedings of 2001 Annual Usenix
Technical Conference |
|
Brief Summary |
|
The author showed simple sign &
encrypt is not very secure by itself. Although the problem is clear, every
secure-email protocol and many secure document protocols do not address
this problem in the specifications or describe the potential pitfalls of
using sign & encrypt in naive manner. The same trend continues on today to
XML-Signature, and XML-Encryption specifications and they suffer from the
same flaw.
Question is, why does this keep happening? Is it
because wrong people are using the specifications that they aren't
supposed to see? Or, is it because the standard makers are not realizing
their audience and not making the specifications detailed enough?
Couple other related papers to this topic are,
- The order of encryption and authentication for
protecting communications (Or: how secure is SSL?), Hugo Krawczyk,
CRYPTO '01
- Why Johnny Can't Encrypt: A Usability Evaluation
of PGP 5.0, Alma Whitten and J. D. Tygar, 9th Usenix Security Symposium,
199
|
Pros |
|
Contributed by Kaw-Yuan Mark Lee
- Triple Wrapping - SES or ESE seems to be quite
secure but can be expensive. Must link outer-layer to inner-layer key
pair to make sure signer and encryptor are the same.
- Good over of several protocols - PGP, PEM,
X.509, S/MIME
- Excellent to understand the attacks
- Secure programs being developed by application
developers instead of cryptographers - application developers, for the
most part do not understand cryptography very well and linking
cryptographic API to their applications is difficult.
Contributed by Helen Rehn
- Provides several clear solutions within existing
frameworks
- Tracks historical development of the problem
- Identifies realistic users of toolkits,
frameworks, etc.
- Pertinent in light of new XML security protocols
|
Cons |
|
Contributed by Geetanjali Sampemane
- I thought the paper was way too long for the
content. The main point is that the standards mislead you into thinking
that signature and
encryption are completely modular and independent and the order in which
they are used is not important, and this is _not_ true. The other thing
is that standards/specifications are too low-level and people who use
them (application developers) don't understand what the
semantics/guarantees are.
- The solution proposed is fairly straightforward
too -- signature and encryption need to be linked, either by additional
signatures or by
including sender/recipient info in the encrypted message body.
- Going through the various existing standards
pointing out how each of them had the same problem made the paper much
longer without adding much additional information or clarity.
|
Discussions |
|
- What would be the actual damage by surreptitious
forwarding?
- How about the commercial products in the market
today? Does any of them show this flaw?
- What is easy-enough semantic for application
developers to understand and not make a mistake? What if we changed to
audience to the end-users?
- This is problem of abstraction. Certainly the
internal details of cryptographic primitives should be abstracted when
presented to application developers or end users. But, what is the
appropriate level of abstraction? How much can we expect from a normal
end user to understand on this topic?
- Is there any economic incentive for the standard
makers or API writers to provide enough details and make the
abstractions at the right level?
- The "padlock" at the bottom of your browser, is
it giving people the bad idea? Is it really possible to abstract the
whole secure connection semantic to one single icon? If not, how much
should a user know?
- What if we could provide two layers of API, one
for the knowledgeable programmer who understands the cryptographic
details, and another for those who aren't?
- In any case, there will be certain gap between
the specification and any implementation of it, unless the specification
also provides the reference source code.
- How much of security support should be
automated? Is it really desirable to provide a turn-key API to use
various types of cryptographic primitives?
|