[149186] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Tue Jan 21 17:44:40 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <56590C9E-B56D-4ABE-BE25-E4A6CDF51C31@gmail.com>
Date: Tue, 21 Jan 2014 17:28:24 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: John Kelsey <crypto.jmk@gmail.com>
Cc: Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
James Cloos <cloos@jhcloos.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3826808112255875682==
Content-Type: multipart/alternative; boundary=089e0160a476cf423d04f0828612
--089e0160a476cf423d04f0828612
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Jan 21, 2014 at 4:36 PM, John Kelsey <crypto.jmk@gmail.com> wrote:
> Encrypt then sign has the big advantage that onthe receiving side, you can
> verify the signature before processing the ciphertext at all. And that
> means you can avoid all kinds of chosen ciphertext attacks on your
> encryption mechanism, many of which are surprisingly effective. (I'm
> thinking in terms of reaction attacks here--stuff where you mess up the
> last block of ciphertext, and learn something about the plaintext depending
> on whether your change messed up the block padding through CBC decryption.)
>
I think we need to consider the whole email infrastructure these days. In
particular we have DKIM now which we didn't before.
So my preference would be,
Let m be the initial message, ks be the personal signature key of the
sender, kr be the personal encryption key of the receiver, kd the dkim
server signature key
DKIM: Sign (body, kd)
..
body = E ( m + Sign (m, ks), kr )
The DKIM signature should be sufficient for anti-spam control purposes
which should be all the receiver requires in order to decide whether it is
worth spending effort to decrypt.
Of course the scheme can be improved considerably if the encryption format
allows the content and the signature(s) to be encrypted separately. In that
case we can construct a signature over the encrypted and unencrypted data
in one go.
--
Website: http://hallambaker.com/
--089e0160a476cf423d04f0828612
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Jan 21, 2014 at 4:36 PM, John Kelsey <span dir=3D"ltr"><=
<a href=3D"mailto:crypto.jmk@gmail.com" target=3D"_blank">crypto.jmk@gmail.=
com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Encrypt then sign has the big advantage that=
onthe receiving side, you can verify the signature before processing the c=
iphertext at all. =A0And that means you can avoid all kinds of chosen ciphe=
rtext attacks on your encryption mechanism, many of which are surprisingly =
effective. =A0(I'm thinking in terms of reaction attacks here--stuff wh=
ere you mess up the last block of ciphertext, and learn something about the=
plaintext depending on whether your change messed up the block padding thr=
ough CBC decryption.)<br>
</blockquote><div><br></div><div>I think we need to consider the whole emai=
l infrastructure these days. In particular we have DKIM now which we didn&#=
39;t before.</div><div><br></div><div>So my preference would be,</div><div>
<br></div><div>Let m be the initial message, ks be the personal signature k=
ey of the sender, kr be the personal encryption key of the receiver, kd the=
dkim server signature key</div><div><br></div><div>DKIM: =A0Sign (body, kd=
)<br>
</div></div>..</div><div class=3D"gmail_extra"><br></div><div class=3D"gmai=
l_extra">body =3D E ( m + Sign (m, ks), kr )<br clear=3D"all"><div><br></di=
v><div>The DKIM signature should be sufficient for anti-spam control purpos=
es which should be all the receiver requires in order to decide whether it =
is worth spending effort to decrypt.</div>
<div><br></div><div>Of course the scheme can be improved considerably if th=
e encryption format allows the content and the signature(s) to be encrypted=
separately. In that case we can construct a signature over the encrypted a=
nd unencrypted data in one go.</div>
<div><br></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br>
</div></div>
--089e0160a476cf423d04f0828612--
--===============3826808112255875682==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3826808112255875682==--
