Signatures and encryption headers
- From: Fabrice <fabrice.gautier@xxxxxxxxx>
- Date: Tue, 4 Nov 2008 14:55:57 -0800 (PST)
Hi,
Let say I have a payload of data I want to encrypt and sign.
The system support various formats for encryption, such as different
cipher, chaining mode, usage of session key etc...
So I create an encryption header that basically include:
- The payload size
- Which cipher and chaining mode are used.
- An encrypted session key
- An IV
- A key index that indicate the recipient which key to uses to decrypt
- Some parameters used to derive the real key used
- etc...
So the clear payload is signed, then its encrypted.
The encryption header, payload and signatures are sent to the
recipient.
Now the question is: should this header be signed too ? Or is it
unnecessary ?
I say its unnecessary as long as the recipient validate properly the
parameters. Whatever an attacker might change in the encryption
header, will change the decrypted payload and will cause the signature
check to fail.
Other people might say that the recipient should not do any
computation with any data that has not been signed. That it might be
possible to exploit the header to cause a fault in the recipient that
might cause him to do something bad...
Whats your take on this ? Should the encryption header be signed or
not ?
Thanks
.
- Follow-Ups:
- Re: Signatures and encryption headers
- From: Bertrand Mollinier Toublet
- Re: Signatures and encryption headers
- From: Oleg Khovayko
- Re: Signatures and encryption headers
- Prev by Date: Re: Constructing PRNGs from hash functions
- Next by Date: Re: Keyschedule in AES
- Previous by thread: Keyschedule in AES
- Next by thread: Re: Signatures and encryption headers
- Index(es):
Relevant Pages
|
