[149180] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Jan 21 16:59:20 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <m3bnz5w3do.fsf@carbon.jhcloos.org>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Tue, 21 Jan 2014 16:36:30 -0500
To: James Cloos <cloos@jhcloos.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Encrypt then sign has the big advantage that onthe receiving side, you can verify the signature before processing the ciphertext at all. And that means you can avoid all kinds of chosen ciphertext attacks on your encryption mechanism, many of which are surprisingly effective. (I'm thinking in terms of reaction attacks here--stuff where you mess up the last block of ciphertext, and learn something about the plaintext depending on whether your change messed up the block padding through CBC decryption.)
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
