Re: PGP/MIME vs. S/MIME vs. MOSS

[rsedc@xxxxxxxxxxxxxxxxxxxxxxx (David Chia)]

> Also, I would appreciate some more dialogue on Robert's cryptanalysis
> concern with S/MIME:
> 
> >But the biggest concern I have of the strength of S/MIME is the presence of
> >any known text.  All of those imbedded MIME headers.  This is exactly the
> >attack that got Microsoft's WFW .pwl files!  (If you know that starting in
> >position 10 you will find the string 'application', the crypto analysis is
> >very easy).

That was the problem in general of encrypting text with fixed tag using
stream ciphers (xor'ed byte by byte) like RC4. It was reported by
Stevenson that the 'earlier' pwl file was named with the username and
the file content also started with the username (in capitals). The file was
encrypted with 32 bit RC4 key and the same pseudo random stream was
reused. It was cracked on a single workstation in less than 1 second.
It is believed that the file format and encryption has been changed.
RC4 when properly used is quite secure.

Incidentally for the MD5 algorithm, it was discovered and reported
this month by Dobbertin (who earlier discovered the weakness in MD4)
that under some special conditions a different plaintext that hashed
to the same digest could be determined. The author concluded that this
might be reason enough to substitute MD5 with SHA-1 in future applications.
The computation took 10 hours on a single Pentium PC.
(Ref: http://www.cs.ucsd.edu/users/bsy/dobbertin.ps).

This just demonstrates the need to allow for multiple algorithms in the
standard.


David Chia,
RMIT University