Failing to encrypt a signature increases the chance of a successful brute-force attack.
The MessageProtectionOrder
attribute allows you to specify the order in which signatures and encryption are applied (and whether or not the signatures should be encrypted). Setting the MessageProtectionOrder
attribute to anything other than SignBeforeEncryptAndEncryptSignature
constitutes a potential security problem.
Below is a list of possible alternative to SignBeforeEncryptAndEncryptSignature
and associated problems.
SignBeforeEncrypt - The signature is applied to the unencrypted message, but the signature itself is not encrypted.
EncryptBeforeSign - Message contents are encrypted then signed.
Messages signed with a low entropy keys, such as passwords, are more vulnerable to brute force attacks.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3150.1 CAT II
[5] Standards Mapping - FIPS200 - (FISMA) CM
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 311
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[8] MessageProtectionOrder Enumeration Microsoft
[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 311
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.3, Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.3