[149194] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (James A. Donald)
Tue Jan 21 22:06:48 2014
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Jan 2014 11:56:23 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <CAMm+LwhB0q1Ab5DjTk5=fKZkLPJAa=aK3LtYMmjNCEQT79qKGA@mail.gmail.com>
Reply-To: jamesd@echeque.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Since one does not want contact tracing, why make it easier by exposing
your durable public key on the outside?
Append your durable public key to message plaintext, or append an
identifier from which your public key can be located. Mac the plaintext
message with a shared secret created from your durable secret key and
the recipient's durable public key. (This form of signing proves to the
recipient that a person with your secret key signed the message, but
does not enable him to prove that to anyone else)
Create a transient secret key and corresponding transient public key.
Create a transient shared secret from the transient secret key and the
recipient's durable public key.
Using the transient shared secret, symmetrically encrypt then Mac, or
perhaps use an authenticated block encryption mode.
Append the symmetrically encrypted and maced message to the transient
public key, and send it.
Recipient derives the same transient shared secret from his durable
secret key and the transient public key, (which is why we call that
secret "shared") then checks the mac, then decrypts. After decryption,
checks the signature, the inner mac.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
