RE: weak authentication issue with rfc5083

[Trevor Freeman <trevorf@xxxxxxxxxxxxxxxxxxxxxx>]

Hi Peter,
The push back to why doesn't everyone just use signatures is when I have an existing security mechanism like Kerberos which builds secure pair wise keys. Kerberos shared secrets can establish mutual authentication providing both parties demonstrate knowledge of the shared secret. I don't think the solution is that complex. If I encrypt the MAC with the pair wise secret I achieve mutual authentication. We use the same mechanism to learn the CEK, we just need to do the same again to prove I know both the KEK and the MAC.

Trevor

-----Original Message-----
From: pgut001 [mailto:pgut001@xxxxxxxxxxxxxxxxx]
Sent: Friday, May 09, 2008 6:26 AM
To: ietf-smime@xxxxxxx; ietf@xxxxxxxxxxxxxxxxx; pgut001@xxxxxxxxxxxxxxxxx; Trevor Freeman
Subject: RE: weak authentication issue with rfc5083

"Jim Schaad" <ietf@xxxxxxxxxxxxxxxxx> writes:

>I believe you have misunderstood the issue that Trevor raised.
>
>His problem is:
>
>1. I send you and him a single Authenticated Message.
>
>2. He takes the common CEK in the original message, uses it to create a MAC
>on an new message and then sends it on to you.
>
>As is always true with Authenticated messages, there is no proof of origin.
>He worries that you might be confused and believe the second messages was
>from me rather than from him.  Since they both use the same CEK that is not a
>factor that could be used to distinguish them.

Ah, OK, thanks.  How serious a threat is this in practice though?  Wouldn't
people just use asymmetric auth if they're worried about proof of origin?  I
realise it's kind of an interesting problem to solve, but does it need solving
beyond a security considerations note "If you're seriously worried about proof
of origin use a signature"?

Peter.