Ben, Amir, et.al.
I see that cipher1 has no transparent value. Therefore, the XML-Encrypted message see ( http://www.w3.org/TR/xmlenc-core/ ) must transport
(1) symmetric_IV (2) Sign_RSA_Receiver_PK(symmetric_Key) (3) cipher (4) Sign_RSA_Sender(SHA1(message))
This is still not very good. Comments:
a. In (2) you obviously mean Encrypt_RSA not Sign_RSA
b. In (4) you again send the hash of the plaintext in the clear. As I explained in my previous note, this is insecure, e.g. if plaintext is taken from a reasonably sized set (which is common), attacker can find the plaintext by hashing all the possible values. There are two fixes to this: sign the encrypted message and public key (which we proved secure for most PKCS including RSA) or encrypt the signed message (which may be vulnerable to Krawczyk/Bleichenbacher's attacks).
c. Notice also (again as I wrote before...) that you don't achieve your stated goal of identifying the intended receiver. This is also solved if you sign the ciphertext and the receiver's public key, or simply sign the identity of the receiver.
Anyway, I am repeating myself, so...
Best regards,
Amir Herzberg Computer Science Department, Bar Ilan University Lectures: http://www.cs.biu.ac.il/~herzbea/book.html Homepage: http://amir.herzberg.name
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
