Comments on draft-ietf-smime-rcek-00.txt
Robert Zuccherato <robert.zuccherato@entrust.com> Thu, 14 September 2000 15:41 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA17399 for <smime-archive@odin.ietf.org>; Thu, 14 Sep 2000 11:41:29 -0400 (EDT)
Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA18930 for ietf-smime-bks; Thu, 14 Sep 2000 08:09:24 -0700 (PDT)
Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA18926 for <ietf-smime@imc.org>; Thu, 14 Sep 2000 08:09:22 -0700 (PDT)
Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <S76SN8M4>; Thu, 14 Sep 2000 11:13:16 -0400
Message-ID: <3120721CA75DD411B8340090273D20B1283B04@sottmxs06.entrust.com>
From: Robert Zuccherato <robert.zuccherato@entrust.com>
To: ietf-smime@imc.org
Subject: Comments on draft-ietf-smime-rcek-00.txt
Date: Thu, 14 Sep 2000 11:05:32 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C01E5D.3A7CE7B0"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
I have a few comments on the draft proposing the re-use of content encryption keys (draft-ietf-smime-rcek-00.txt). The CEKMaxDecrypts makes this scheme vulnerable to a denial-of-service attack in two ways. First, the attacker could just resend a message MaxDecrypt times and the CEKReference would no longer be valid and potentially not accessible. Does it make more sense to limit the lifetime of the CEKReference by time (maybe give the number of seconds it is to be active) instead of number of decrypts? Also, since the attribute is unprotected it could be changed (i.e. reduced) so that the CEKReference isn't available as long as intended. Why not allow the attribute to be protected? These possibilities should at least be mentioned in the Security Considerations. Why not just mandate that the CEK and KEK algorithms must be the same? This wouldn't seem to be too much of an imposition. This removes the need for a KDF. If you really want to allow different algorithms, the KDF included seems kind of ad-hoc. I would be more comfortable if a more standard KDF was used. Perhaps the KDF from IEEE P1363 would be appropriate. Thanks, Robert Zuccherato Entrust Technologies
- Comments on draft-ietf-smime-rcek-00.txt Robert Zuccherato
- Re: Comments on draft-ietf-smime-rcek-00.txt Russ Housley
- Re: Comments on draft-ietf-smime-rcek-00.txt Stephen Farrell