> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Wednesday, August 01, 2018 06:56 > > On Tue, Jul 31, 2018 at 06:14:18PM +0200, Jakob Bohm wrote: > > > Actually, the CMS format itself is clearly designed for streamed decoding. > > It is not, because there is no integrity protection until you reach > the end of the message. In a packetized format designed for > streaming, each chunk and their sequencing is integrity protected, > streaming extractors are only exposed to (tamper-evident) truncation > attacks.
And thus falling foul of Moxie Marlinspike's Cryptographic Doom Principle: If you don't verify integrity first, sooner or later you'll be in trouble. While CMS has been updated, its roots are long - PKCS#7 is 20 years old, after all, and RFC 5652 is nearing the end of its first decade. Back then, deferring the integrity check to the end wasn't seen as a problem. Today we know better - which is why many people prefer AEAD modes. CMS with an AEAD mode (such as AES128-GCM) ought to avoid the integrity-protection issue for the encrypted content, but not for the other parts of the message, I assume. (I'm no CMS expert so I may be missing something there.) And, of course, both sender and recipient would have to support that algorithm. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
