OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss-comment] DSS as a encryption/decryption oracle.

Hi Timothy !

>  Here's what I think are necessary:
I agree with all your precautions. All this should be taken into account 
when designing a real implementation. But I wouldn't like to see a mix 
of concerns between DSS spec and implementation details.

E.g. there are many efforts out there that care about authentication. I 
don't believe we could design a better authentication solution 'en 
passant' . So let's concentrate on our primary goal and leave the rest 
to other experts !

>  - The service must implement signature schemes that are provably
>  secure against both chosen-plaintext and chosen-ciphertext attacks.
>  - The service must not allow unauthenticated signing operations. 
> This  > impedes the ability of any attacker to use the service as an 
> oracle.
>  - The service must sign only objects, not hashes of objects. This
>  impedes an insider's ability to utilize the service as an oracle.
I don't like signing a hash and the German-Sig-Law-Profile prohibits 
it's use at all.

But except within an odd PKCS7 mode there is always a second stage of 
hashing involved. So the hash as it is usually don't serves as the input 
to the encryption step.

>  - The service must implement detection and prevention of misuse. 
> This  > impedes the use of the service as an oracle, and provides 
> support for  > denial-of-service protection. However, as the "normal" 
> volume of the  > service increases, the ability to detect misuse 
> decreases.
>  - The service must utilize hardware security modules for private 
> key  > operations. This supports service non-repudiation.
>  - The service must implement some form of authority delegation. 
> This  > provides support for attribution and non-repudiation.
>  If nothing else this should be covered in implementation guidance, 
> as  > security considerations, which appear to be missing from the
>  standard.
I don't think we could cover all DSS usage scenarios even roughly. It 
spans from simple intranet transport protection to legally binding 
The security aspects are very domain-specific and dtmo should be 
targeted there, not by the general DSS.


Andreas K.

Andreas Kühne
phone: +49 177 293 24 97
mailto: kuehne@trustable.de

Trustable Ltd.
Niederlassung Deutschland
Ströverstr. 18 - 59427 Unna
Amtsgericht Hamm HRB 5868

Andreas Kühne
Heiko Veit

Company UK
Company No: 5218868
Registered in England and Wales

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]