Score:1

Does CMS AuthEnvelopedData type provide message authentication?

cn flag

I was looking through the S/MIME Message specification (RFC 8551) to find out what security services it offers. Section 2.4.4 of this document describing AuthEnvelopedData content type (which uses the CMS type of the same name) says:

This content type is used to apply data confidentiality and message integrity to a message. This content type does not provide authentication or non-repudiation.

Authenticated-Enveloped-Data CMS content type uses authenticated encryption algorithms (such as AES-CCM or AES-GCM) according to the RFC 5083.

Authenticated encryption algorithms generally provide confidentiality, authenticity and integrity of data. So why does the S/MIME specification state that AuthEnvelopedData type doesn't provide authentication?

Score:1
cn flag

Authentication (and nonrepudiation) is relative to a source.

'Authenticated' encryption like GCM and CCM is a limited form of authentication that guarantees successfully decrypted data came from the entity that did the encryption, and was not modified (tampered) in transit, but does not by itself tell you anything about who the encrypter was, only that they had the key. The environment it is used in may add to this; as a common example, TLS (always in 1.3 and usually in 1.2 nowadays) can encrypt session data with an AEAD algorithm and a nonce key known only to the two endpoints of the connection (and with one exception an IV-aka-nonce at least partly known only to the endpoints); thus if one endpoint receives data that decrypts correctly, and knows it didn't send that data, the data must be from the other endpoint and untampered.

S/MIME and CMS messages can be transmitted in an unlimited number of steps to and from anybody, although signed messages can only be created by the entity with the relevant privatekey (and there should be only one because privatekeys should not be shared) and similarly enveloped messages (with the normally used RecipientInfo types) can only be 'opened' (decrypted) with a privatekey which only one entity should have. The AuthEnveloped variant, using AEAD encryption, guarantees that the ciphertext wasn't tampered with -- unlike traditional encryption which without outer signature or other integrity measure can sometimes be done in a way that causes undetected attacker-desired changes to the plaintext -- but it does not say anything about who the data comes from. Anybody in the world who has your (public) certificate can create a valid AuthEnveloped message to you. Since you don't know who the sender is, repudiation is meaningless -- there is no assertion of responsibility to be repudiated.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.