>>>>> "Viktor" == Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> writes:
>> On May 14, 2018, at 12:35 PM, Paul Wouters <paul@xxxxxxxxx> wrote:
>>
>>
>> So that’s the bandaid. What and where will work be done on a
>> solution?
Viktor> A CBC-MAC (or some other suitable ciphertext MAC) would
Viktor> probably help to defeat tampering with the CBC ciphertext.
Viktor> As would encrypt-then-sign (rather than the more typical for
Viktor> S/MIME sign-then-encrypt), but S/MIME signatures are
Viktor> optional, so a ciphertext MAC seems appropriate.
More generally, I'd strongly suggest that even for confidentiality
without security, you want the security property of semantic security,
and you want some non-malleability property.
My point is that S/MIME seems to want some properties of its underlying
bulk encryption service that CBC clearly doesn't provide.
I think that in addition to recommending new ciphers, it's worth clearly
articulating what security properties you need. Doing so helps make
analysis of the system easier. I've found that doing similar work has
saved me from some attacks like this in my own work both inside and
outside the IETF.
It's possible that some or all of this has already been done: it's been
a while since I've read the S/MIME specs.
