[149187] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Tue Jan 21 17:55:26 2014
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <56590C9E-B56D-4ABE-BE25-E4A6CDF51C31@gmail.com>
Date: Tue, 21 Jan 2014 17:47:57 -0500
To: John Kelsey <crypto.jmk@gmail.com>
Cc: Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
James Cloos <cloos@jhcloos.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Jan 21, 2014, at 4:36 PM, John Kelsey wrote:
> Encrypt then sign has the big advantage that onthe receiving side, you can verify the signature before processing the ciphertext at all. And that means you can avoid all kinds of chosen ciphertext attacks on your encryption mechanism, many of which are surprisingly effective. (I'm thinking in terms of reaction attacks here--stuff where you mess up the last block of ciphertext, and learn something about the plaintext depending on whether your change messed up the block padding through CBC decryption.)
Verifying a signature is a fairly expensive operation, and one wonders if it, too, is subject to some kind of attack.
Perhaps the right solution is to do a MAC last - whether you do the signature or the encryption first. A MAC is cheap to compute, cheap to check, and simple enough that you have some hope of being sure it won't information.
Or you can use a combined encryption and authentication mode. I would think that you then want to do Sign-Then-Encrypt&Authenticate, as the outer authentication protects the inner signature from attack - but such reasoning has proved tricky and wrong in the past.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
