[smime] Signature forgery in RFC 5652

Damian Poddebniak <dp141016@fh-muenster.de> Mon, 05 November 2018 16:12 UTC

Return-Path: <dp141016@fh-muenster.de>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2452012D4EC for <smime@ietfa.amsl.com>; Mon, 5 Nov 2018 08:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9BKlafnfD-l for <smime@ietfa.amsl.com>; Mon, 5 Nov 2018 08:12:06 -0800 (PST)
Received: from mail.fh-muenster.de (mail.fh-muenster.de [212.201.120.190]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0B8E126CC7 for <smime@ietf.org>; Mon, 5 Nov 2018 08:12:06 -0800 (PST)
Received: from [192.168.0.241] (ip-95-223-44-244.hsi16.unitymediagroup.de [95.223.44.244]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dp141016) by mail.fh-muenster.de (Postfix) with ESMTPSA id 13722280724 for <smime@ietf.org>; Mon, 5 Nov 2018 17:12:05 +0100 (CET)
To: smime@ietf.org
From: Damian Poddebniak <dp141016@fh-muenster.de>
Message-ID: <6c5373b3-b6cd-3277-1310-ef03ebad8d84@fh-muenster.de>
Date: Mon, 5 Nov 2018 17:12:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/86YLi4863YUNg-fXlgSZ7P0NzXM>
X-Mailman-Approved-At: Tue, 06 Nov 2018 08:51:57 -0800
Subject: [smime] Signature forgery in RFC 5652
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 16:13:03 -0000

Hello,

I have noticed something interesting about signing in the CMS 
specification and don't really know what to do with it.

The RFC says that if SignerInfo::signedAttrs are present, the signature 
covers the signedAttrs (with the message digest being in them). If there 
are no signedAttrs, the signature covers the message directly.

Said that, it is possible to just cut and paste the 
SignerInfo::signedAttrs to become the new 
EncapsulatedContentInfo::eContent without breaking the signature.

1) cut the signedAttrs (possible, because they are optional)

2) remove the eContent value

3) paste the signedAttrs into eContent

Given that the signedAttrs are DER-encoded, they obviously didn't look 
good when interpreted as an ASCII message

However, as the signature is still correct, this is basically a forgery 
of a message the sender didn't signed.

What do you think? I could also provide an example if needed.

Nice regards,

Damian Poddebniak