Multiple Message Digest in CMS SHA-1+2

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple Message Digest in CMS SHA-1+2

Eckenfels. Bernd

Hello,

 

When switching to SHA-2 message digest for S/Mime there is a problem that it is not always known if the other side will understand it. After all SHA-2 is defined for S/mime in RFC 5754, but not all clients support it.

 

So I am looking for a way to produce universally accepted signed messages.

 

According to RFC3851 you can specify a list of message digest algorithms. It looks like you would have two Signatures SignerInfo blocks on the message then (from the same key).

 

Is this in practice actually done and has anybody compatibility experiences with this? With BC I guess you would add multiple signerInfoGenerators?

 

Gruss

Bernd

--

Chief Architect (R&D), SEEBURGER AG, Germany
http://www.seeburger.com

 






     


SEEBURGER AG   Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:   Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1  
D-75015 Bretten Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0 Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de Registergericht/Commercial Register:
e-mail: [hidden email] HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.

This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple Message Digest in CMS SHA-1+2

David Hook

Yes, you'd need to add multiple signerInfoGenerators.

I think you'd need to make sure you used different public keys for the signatures though. Apart from possible issues with generating lower security signatures with a weaker hash with the same key, I don't think many clients would do anything sensible if two signers had the same SignerID (or put another, while there might be a SHA-1 signer information object present, there's always the chance the "SHA-1 only" client will fetch the SHA-2 based signer information by mistake, not realising there is another one present).

Regards,

David

On 19/10/16 03:02, Eckenfels. Bernd wrote:

Hello,

 

When switching to SHA-2 message digest for S/Mime there is a problem that it is not always known if the other side will understand it. After all SHA-2 is defined for S/mime in RFC 5754, but not all clients support it.

 

So I am looking for a way to produce universally accepted signed messages.

 

According to RFC3851 you can specify a list of message digest algorithms. It looks like you would have two Signatures SignerInfo blocks on the message then (from the same key).

 

Is this in practice actually done and has anybody compatibility experiences with this? With BC I guess you would add multiple signerInfoGenerators?

 

Gruss

Bernd

--

Chief Architect (R&D), SEEBURGER AG, Germany
http://www.seeburger.com

 






     


SEEBURGER AG   Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:   Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1  
D-75015 Bretten
Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0
Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222

Internet: http://www.seeburger.de
Registergericht/Commercial Register:
e-mail: [hidden email]
HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.

This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Loading...