Re: [smime] Signature forgery in RFC 5652

Jim Schaad <ietf@augustcellars.com> Tue, 06 November 2018 23:38 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21A41252B7 for <smime@ietfa.amsl.com>; Tue, 6 Nov 2018 15:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j53vtT2P4I2i for <smime@ietfa.amsl.com>; Tue, 6 Nov 2018 15:38:19 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3112124D68 for <smime@ietf.org>; Tue, 6 Nov 2018 15:38:18 -0800 (PST)
Received: from Jude (43.249.105.152) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 6 Nov 2018 15:33:04 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Damian Poddebniak' <dp141016@fh-muenster.de>, <smime@ietf.org>
References: <6c5373b3-b6cd-3277-1310-ef03ebad8d84@fh-muenster.de>
In-Reply-To: <6c5373b3-b6cd-3277-1310-ef03ebad8d84@fh-muenster.de>
Date: Wed, 7 Nov 2018 06:37:48 +0700
Message-ID: <022e01d47629$bc0296d0$3407c470$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIvtwmZng2a/JNaaqD/+nBaROCXzKSM4+Qw
Content-Language: en-us
X-Originating-IP: [43.249.105.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/Pl3ghqfEOrG3gtkKDWuGYx4PQYY>
Subject: Re: [smime] Signature forgery in RFC 5652
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 23:38:22 -0000

I would not say that this is a forgery of a message that the user did not
sign.  What was signed was exactly the signedAttrs value, the eContent is
only indirectly included and is part of the processing of the message.

Yes what you noticed is real.  I have always pushed that one should always
have the attributes so that more information about what is going on in the
process.

Not something that I personally would worry about, but there might be some
interesting attack that could be done.

Jim


> -----Original Message-----
> From: smime <smime-bounces@ietf.org>; On Behalf Of Damian Poddebniak
> Sent: Monday, November 5, 2018 11:12 PM
> To: smime@ietf.org
> Subject: [smime] Signature forgery in RFC 5652
> 
> Hello,
> 
> I have noticed something interesting about signing in the CMS
specification
> and don't really know what to do with it.
> 
> The RFC says that if SignerInfo::signedAttrs are present, the signature
covers
> the signedAttrs (with the message digest being in them). If there are no
> signedAttrs, the signature covers the message directly.
> 
> Said that, it is possible to just cut and paste the
SignerInfo::signedAttrs to
> become the new EncapsulatedContentInfo::eContent without breaking the
> signature.
> 
> 1) cut the signedAttrs (possible, because they are optional)
> 
> 2) remove the eContent value
> 
> 3) paste the signedAttrs into eContent
> 
> Given that the signedAttrs are DER-encoded, they obviously didn't look
good
> when interpreted as an ASCII message
> 
> However, as the signature is still correct, this is basically a forgery of
a
> message the sender didn't signed.
> 
> What do you think? I could also provide an example if needed.
> 
> Nice regards,
> 
> Damian Poddebniak
> 
> _______________________________________________
> smime mailing list
> smime@ietf.org
> https://www.ietf.org/mailman/listinfo/smime