Loading ...
Sorry, an error occurred while loading the content.

9631Re: [soapbuilders] Re: Super-Encryption AND Digital Signatures

Expand Messages
  • Rich Salz
    Dec 4, 2003
    • 0 Attachment
      >>Now, a compromised receiver does the following. First, get the keys:
      >>Key2 = RSA_Decrypt[OuterEncryptedKey] [using receiver's RSA private key]
      >>CipherValue1 = Decrypt[TripleDES(CipherValue2)]
      >>Key1 = RSA_Decrypt[InnerEncryptedKey] [using sender's RSA public key]
      >>Next, use those keys to create a bad message:
      >>BadCipher1 = Encrypt[TripleDES(*BAD MESSAGE*, Key1)]
      >>BadCipher2 = Encrypt[TripleDes(BadCipher1, Key2)]

      > But BadCipher1 now has RSA_Encrypt(Key1) from the receiver and not the
      > original sender

      No, use the original encrypted Key1.

      > Therefore, the proof of who sent the message resides with the
      > decryption of Key1

      Right, but there's no proof of what content the sender provided. More
      precisely, the proof is "who generated Key1", which is even further from
      protecting the content.

      > Where is this breaking down?

      Our terminology, I think.

      Both sender and receiver need Key1 and Key2. Since both 3DES is
      symmetric, Key1 and Key2 can both encrypt and decrypt. Once the
      adversary (compromised receiver) has both keys, he can use them to
      encrypt anthing he wants. Now take that bogus message -- and the keys
      *in their original wrappers* -- and prove the sender didn't generate
      that content.

      Does this help?
      /r$
      --
      Rich Salz, Chief Security Architect
      DataPower Technology http://www.datapower.com
      XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
      XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
    • Show all 22 messages in this topic