Abstract Defective Sign & Encrypt in S/MIME,

Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt. In fact, every secure e-mail protocol, old and new, has codi ed na ve Sign & Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP, PEM, and MOSS all su er from this aw. Similarly, the secure document protocols PKCS#7, XML-Signature, and XML-Encryption su er from the same aw. Na ve Sign & Encrypt appears only in le-security and mailsecurity applications, but this narrow scope is becoming more important to the rapidly-growing class of commercial users. With leand mail-encryption seeing widespread use, and with awed encryption in play, we can expect widespread exposures. In this paper, we analyze the na ve Sign & Encrypt aw, we review the defective sign/encrypt standards, and we describe a comprehensive set of simple repairs. The various repairs all have a common feature: when signing and encryption are combined, the inner crypto layer must somehow depend on the outer layer, so as to reveal any tampering with the outer layer.