Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML by Don Davis
Users and programmers prefer to think about security by analogy with familiar symmetric-key ``secret codes.'' For mail-handling and file-handling, security designers have relied heavily on simple asymmetric encryption and signing, rather naïvely combined. Naïve sign & encrypt has surprisingly different security semantics from symmetric encryption, but the difference is subtle, perhaps too subtle for non-specialist users and programmers to grasp. Indeed, for senders, sign-and-encrypt guarantees the same security properties as symmetric-key cryptography gives. With both types of crypto, the sender is sure that:
- The recipient knows who wrote the message; and
- Only the recipient can decrypt the message.
The difference appears only in the recipient's security guarantees: the recipient of a symmetric-key ciphertext knows who sent it to him, but a ``simple sign & encrypt'' recipient knows only who wrote the message, and has no assurance about who encrypted it. This is because naïve sign & encrypt is vulnerable to ``surreptitious forwarding,'' but symmetric-key encryption is not. Since users always will assume that sign & encrypt is similar to symmetric-key ``secret codes,'' they will tend to trust naïve sign & encrypt too much.