USENIX 2001 Abstract
Defective Sign & Encrypt in S/MIME,PKCS#7, MOSS, PEM, PGP, and XML
Don Davis, Shym Technology
Simple Sign & Encrypt, by itself, is not very
secure. Cryptographers know this well, but application programmers and
standards authors still tend to put too much trust in simple
Sign-and-Encrypt. In fact, every secure e-mail protocol, old and new, has
codifiednaïve Sign & Encrypt as acceptable security
practice. S/MIME, PKCS#7, PGP, OpenPGP, PEM, and MOSS all suffer from this
flaw. Similarly, the secure document protocols PKCS#7,XML-Signature, and
XML-Encryption suffer from the same flaw. Naïve Sign & Encrypt
appears only in file-security and mail-security applications, but this
narrow scope is becoming more important to the rapidly-growing class of
commercial users. With file- and mail-encryption seeing widespread use, and
with flawed encryption in play, we can expect widespread
In this paper, we analyze the naïve Sign & Encrypt
flaw, we review the defective sign/encrypt standards, and we describe a
comprehensive set of simple repairs. The various repairs all have a common
feature: when signing and encryption are combined, the inner crypto layer
must somehow depend on the outer layer, so as to reveal any tampering with
the outer layer.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.