[149203] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Yuriy Kaminskiy)
Wed Jan 22 12:45:51 2014
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
From: Yuriy Kaminskiy <yumkam@gmail.com>
Date: Wed, 22 Jan 2014 14:12:27 +0400
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <FE2F960D-399B-4AA3-8860-5C704E9000D3@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Jerry Leichter wrote:
> On Jan 21, 2014, at 5:13 PM, Tony Arcieri wrote:
>> I am distinguishing MACs from "signatures", as at least in my nomenclature
>> digital signature systems are an inherently pubkey system.
> MAC's and digital signature systems are different in a more fundamental way:
> With a signature system, Bob can prove to anyone that a message was signed by
> Alice without himself being able to produce messages with Alice's signature
> on them. With a MAC, Bob has everything needed to produce messages "MAC'ed"
> by Alice. But that's fine, because the entire purpose of a MAC is for Bob to
> be able to prove *to himself* that Alice produced a message. There's not
> much point in him forging a message and then proving to himself that he
> forged it!
Yet *there are*. If Bob private key leaked and he is not aware about that,
hijacker can decrypt message from Alice, change contents, and re-encrypt to Bob
it with corrected MAC, and pass it to Bob. Not possible with signed message.
> [...]
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
