[smime] Signature forgery in RFC 5652
Damian Poddebniak <dp141016@fh-muenster.de> Mon, 05 November 2018 16:12 UTC
Return-Path: <dp141016@fh-muenster.de>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2452012D4EC for <smime@ietfa.amsl.com>; Mon, 5 Nov 2018 08:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9BKlafnfD-l for <smime@ietfa.amsl.com>; Mon, 5 Nov 2018 08:12:06 -0800 (PST)
Received: from mail.fh-muenster.de (mail.fh-muenster.de [212.201.120.190]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0B8E126CC7 for <smime@ietf.org>; Mon, 5 Nov 2018 08:12:06 -0800 (PST)
Received: from [192.168.0.241] (ip-95-223-44-244.hsi16.unitymediagroup.de [95.223.44.244]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dp141016) by mail.fh-muenster.de (Postfix) with ESMTPSA id 13722280724 for <smime@ietf.org>; Mon, 5 Nov 2018 17:12:05 +0100 (CET)
To: smime@ietf.org
From: Damian Poddebniak <dp141016@fh-muenster.de>
Message-ID: <6c5373b3-b6cd-3277-1310-ef03ebad8d84@fh-muenster.de>
Date: Mon, 05 Nov 2018 17:12:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/86YLi4863YUNg-fXlgSZ7P0NzXM>
X-Mailman-Approved-At: Tue, 06 Nov 2018 08:51:57 -0800
Subject: [smime] Signature forgery in RFC 5652
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 16:13:03 -0000
Hello, I have noticed something interesting about signing in the CMS specification and don't really know what to do with it. The RFC says that if SignerInfo::signedAttrs are present, the signature covers the signedAttrs (with the message digest being in them). If there are no signedAttrs, the signature covers the message directly. Said that, it is possible to just cut and paste the SignerInfo::signedAttrs to become the new EncapsulatedContentInfo::eContent without breaking the signature. 1) cut the signedAttrs (possible, because they are optional) 2) remove the eContent value 3) paste the signedAttrs into eContent Given that the signedAttrs are DER-encoded, they obviously didn't look good when interpreted as an ASCII message However, as the signature is still correct, this is basically a forgery of a message the sender didn't signed. What do you think? I could also provide an example if needed. Nice regards, Damian Poddebniak
- [smime] Signature forgery in RFC 5652 Damian Poddebniak
- Re: [smime] Signature forgery in RFC 5652 Jim Schaad