This document updates the Cryptographic Message Syntax (CMS) [RFC 5652
] to ensure that algorithm identifiers in signed-data and authenticated-data content types are adequately protected.
The CMS signed-data content type [RFC 5652
], unlike X.509 certificates [RFC 5280
], can be vulnerable to algorithm substitution attacks. In an algorithm substitution attack, the attacker changes either the algorithm identifier or the parameters associated with the algorithm identifier to change the verification process used by the recipient. The X.509 certificate structure protects the algorithm identifier and the associated parameters by signing them.
In an algorithm substitution attack, the attacker looks for a different algorithm that produces the same result as the algorithm used by the originator. As an example, if the signer of a message used SHA-256 [SHS
] as the digest algorithm to hash the message content, then the attacker looks for a weaker hash algorithm that produces a result that is of the same length. The attacker's goal is to find a different message that results in the same hash value, which is called a cross-algorithm collision. Today, there are many hash functions that produce 256-bit results. One of them may be found to be weak in the future.
Further, when a digest algorithm produces a larger result than is needed by a digital signature algorithm, the digest value is reduced to the size needed by the signature algorithm. This can be done both by truncation and modulo operations, with the simplest being straightforward truncation. In this situation, the attacker needs to find a collision with the reduced digest value. As an example, if the message signer uses SHA-512 [SHS
] as the digest algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve [DSS
] as the signature algorithm, then the attacker needs to find a collision with the first half of the digest.
Similar attacks can be mounted against parameterized algorithm identifiers. When randomized hash functions are employed, such as the example in [RFC 6210
], the algorithm identifier parameter includes a random value that can be manipulated by an attacker looking for collisions. Some other algorithm identifiers include complex parameter structures, and each value provides another opportunity for manipulation by an attacker.
This document makes two updates to CMS to provide protection for the algorithm identifier. First, it mandates a convention followed by many implementations by requiring the originator to use the same hash algorithm to compute the digest of the message content and the digest of signed attributes. Second, it recommends that the originator include the CMSAlgorithmProtection attribute [RFC 6211