Message origin authentication allows the identity of a message originator to be verified. This service counters the threat of masquerade (i.e., impersonation of the message originator). Since origin authentication has limited utility without content integrity, the message origin authentication service also provides assurance that the message content has not been modified. If a security label is present in the message, this service also enables proof of association between the security label and the message. Message origin authentication can be provided by one of two methods: a message origin authentication check or a content integrity check.
The message origin authentication check allows the identity of a message originator to be verified by the message recipient(s), and any MTA transferring the message. It is provided on a per-message basis using an asymmetric encryption technique.
The message origin authentication check is a digital signature included in the message envelope. The originator computes the signature as a function of the message content, the message content identifier (an optional attribute generated by the originator to facilitate the correlation of a message with any reports it may provoke), and the message security label. If the message content is encrypted, the signature is computed as a function of the encrypted content. Thus, the identity of the originator can be confirmed without the need to see the plaintext content.
If the signature is computed using the plaintext content, the message origin authentication check also provides non-repudiation of origin (see Section 11.6.6). This provision is not maintained if the signature is computed using the encrypted message content. The message originator, although unable to deny sending the encrypted content, can deny that the content decrypted by the recipient is the same as the original plaintext content.
The message origin authentication check is computed using the originator's private key. The service places no restrictions on the originator regarding which asymmetric algorithm is used. The originator conveys the object identifier for the algorithm, any input parameters required by the algorithm, and the signature generated by the algorithm, in the message envelope.
The message recipient(s), and any MTA transferring the message, can validate the signature using the originator's public key certificate. This certificate may be transferred in the message envelope, or obtained by some other means.
The second method to provide message origin authentication is the content integrity check. The content integrity check allows the identity of the originator to be verified by the message recipient(s), and possibly by any MTA transferring the message. It is provided on a per-recipient basis, using either symmetric or asymmetric encryption techniques.
The content integrity check is a cryptographic checksum included as a per-recipient field in the message envelope, or in the message token. A distinct token can be generated for each message recipient. If the secrecy of the check is required, the originator places it in the token's encrypted-data. Unlike the message origin authentication check, the content integrity check must be computed as a function of the plaintext message content.
The originator may choose either a symmetric or asymmetric encryption algorithm to compute the check. If the originator chooses a symmetric encryption algorithm, a symmetric encryption key is used by the message originator to compute the check, and by the message recipient(s) to validate the check. This key can be transferred in the token's encrypted-data, or distributed by some other means (e.g., by prior agreement). Since only the originator and the recipient(s) share this key, no MTA transferring the message can authenticate the message.
If the content integrity check is computed with an asymmetric encryption algorithm (i.e., is a digital signature), the originator's private key is used to generate the check. The recipient validates the check using the originator's public key certificate. This certificate may be transferred in the message envelope, or obtained by some other means. Providing the originator does not transfer the check in the token's encrypted-data, any MTA handling the message can validate the check.
The content integrity check can be computed using any symmetric or asymmetric algorithm understood by both the originator and the recipient. All information relevant to the algorithm can be conveyed with the check.
If an asymmetric algorithm is used to compute the check, non-repudiation of origin (see Section 11.6.6) is provided in addition to origin authentication. If a symmetric algorithm is used, non-repudiation of origin can be provided by placing the content integrity check in the token's signed-data or encrypted-data. This is because the check is computed using the plaintext content, then signed by the originator. The originator may also transfer a security label with the content integrity check in either the token's signed-data or encrypted-data, to bind the security label to the message content.