[149211] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Steve Weis)
Wed Jan 22 21:22:43 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAHE9jN2vC6vQ-T0yDsjqPpB=oQ-WzBjzyNHByu5D4saJ-XgjLw@mail.gmail.com>
From: Steve Weis <steveweis@gmail.com>
Date: Wed, 22 Jan 2014 17:13:20 -0800
To: Alexandre Anzala-Yamajako <anzalaya@gmail.com>
Cc: Cryptography <cryptography@metzdowd.com>,
Ralf Senderek <crypto@senderek.ie>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Wed, Jan 22, 2014 at 3:05 PM, Alexandre Anzala-Yamajako
<anzalaya@gmail.com> wrote:
>> I think signing ciphertexts is generally a best practice, and certainly not a "mortal sin".
>
> In the public key world, signing ciphertexts not only reveals the identity
> of the sender but also allow relay attacks where a guy intercepts a signed
> message, strips it from his signature and replaces it with its own.
> Depending on the protocol it can be a problem.
> I think the encrypt-sign-encrypt solution solves both of those problems
Like I said, I think encrypt-then-sign is generally a best practice
for both symmetric and public-key crypto. There are some exceptions,
but I've mainly seen those motivated by performance or legacy issues.
The relay attack you describe implies a naive verifier that doesn't
check whose key signed a message. It means the verifier accepts any
well-formed signature, regardless of the key that signed it. That
seems to defeat the purpose of signing it in the first place. If
that's the case, I don't think the proposed solution to encrypt again
actually helps.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
