I want to use EncryptedKey to transport an HMAC-SHA1 key, but the
obvious way of doing it seems to be open to algorithm substitution attacks.
Specifically, I'd like Alice to be able to agree an MAC key with Bob by
sending Bob a document signed by Alice which includes the MAC key inside
an EncryptedKey signed with Bob's public key. Bob should then be able
to use this key to authenticate documents as originating from Alice.
However, this construction doesn't seem sufficient by itself to do this
securely, because this protocol doesn't communicate which MAC algorithm
is to be used until Alice sends a message to Bob. This means that once
Alice and Bob have agreed a MAC key, our attacker can choose whichever
MAC algorithm is weakest among all those that Bob accepts, and use that
to authenticate his bogus message.
AFAIK, if it is possible for the attacker to cause the same key to be
used for two different algorithms, then security cannot be guaranteed.
How can I ensure that whenever I use EncryptedKey or SymmetricKeyWrap to
communicate a key, the "type information" gets passed alongside it?
Thanks in advance!
 Paul Crowley
 LShift Ltd
  www.lshift.net