[149207] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Peter Todd)
Wed Jan 22 13:05:38 2014
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Jan 2014 12:57:08 -0500
From: Peter Todd <pete@petertodd.org>
To: Derek Atkins <derek@ihtfp.com>
In-Reply-To: <c2c41532d8c4eaaa7ac3dd5a1678b63b.squirrel@mail2.ihtfp.org>
Cc: cryptography@metzdowd.com, Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2745283093307617087==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 21, 2014 at 01:48:21PM -0500, Derek Atkins wrote:
> Hi,
>=20
> On Tue, January 21, 2014 11:01 am, Stephan Neuhaus wrote:
> > Dear list,
> >
> > I'll be darned if I can find in RFC4880 how to do both encryption and
> > signature in OpenPGP. Knowing that both naively doing sign-then-encrypt
> > and encrypt-then-sign have their problems, surely it can't be that,
> > right? So what *is* actually happening in OpenPGP? And where does it
> > say that in the RFC?
>=20
> The RFC does not specify, because protocol-wise both are valid. You could
> do either sign-then-encrypt or encrypt-then-sign, and PGP validators
> should handle either order of packet nesting. The more appropriate
> question would be: what do the various OpenPGP implementations do by
> default, and that I cannot answer for you
GnuPG at least does sign-then-encrypt, and for good reason. Consider
the following encrypted message:
-----BEGIN PGP MESSAGE-----
hQEMAwAAAAAAAAAAAQf8CXKxaq6tA8/QiKVH9+87pu8I4LNXR0G51sX6McXE5/pD
dOKcGK7R+frtZ3qatfxwxzOO5yH+WfROlUM+DDMMkx07wnDM53s5+FH6zx0Fy9WN
6aZt7W5z/sWHM1OXHHn/65I9gbOc5Mn83x+K2cavIvMBjA+PFM+ltQcVChHc9IEx
Nfopn/O20bphcyKzvASNNnmBRjwZ/ElKOv683Dp9rgWmOQzZOdv3APE8xDl6SsLV
7Pe8iB/BowEY4socz6XO9GXAoTscskPuBFl29crb5gLjAJCPTEFDxOqJjt8qatys
7rh0gd4IFNDnzq4oDs6ZUoPqNOYBNIb2EQvZN8MKy9LpAcAkRv2iPdtXWcA7IzbJ
KPPQhO+KlX32UywR+6jZ8PtXPV4XpwUEk4pc1VNCIxkrs07Qsoo8hcxkeQmH2/4n
yaZNP3wdApasY779mq/u3oJSavzy66f//Yf3Kr0zO0AVOr7zNfVecc82D+fwPeM5
bH66p84bXph+7wy011T61v+gS/hKdJVvtsc6/G6lmvdxBQeTBtd2wIxoz9OaQyhb
pXz8/DDKtrnuPDUYI0bH2rzwvxj+YIACqEk/jgVvEDFigWGYwba70RpdVSZFLPUB
LQZ6f/KOfTsHloSyFkFN2wpB5qkI0fXqiCqozGh0UNO8N2M4JaXLdtWyoJbNuhOp
H38tY62+FW0ZMjYg97kmceV+4tWLrKYaXyCbQLrSuJkGGKFEiBUL7zWtwSbQEaXN
/PlbW5nHUiwAt47KTKLH2cFSzVGETMv0tmNfcXXwHDSozsgX2fL+STo50pMVEozj
zZOxE0tx+VeQfu8O5DhN7rfsVvCJBaiUU0RAVFKfjcWStY9t4gtGdZU+miGMNJpK
H0SewSLo7KqWM0nmHo8BkKhQ/A6Od5HKcLtov/R3mgw3zczEepcqXjmZkLuzbpGs
LYBROmVX0ofasQa5EErl62TnbavgssA0U7VAHtXxLDz9iBegtjjKBoLoNIWdMi4G
Dm5DNiBWNZFVW9o3BmQ6SlmC/QQC6JqWFi585QyRfWJ2eSXJtqrkFuyu5uwGhKp3
BFVEF8tm61rNTp8Dt3qUGrEbNXhURXuw/2xXkG7DxfFHMlyY3TZ7PsBfP6PQYxv5
rSxFc3NT53H3xf1jO+fXBYTLn4B7J8T186un34uaXkCe5Nm+kCdVKnCwsfIl5eSy
q+Ff6w=3D=3D
=3DbvhY
-----END PGP MESSAGE-----
If you try to decrypt it:
nobody@nowhere:~$ gpg -d < msg.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: secret key not available
Minimum possible information leakage; you know nothing at all about the
sender. (or the intended receiver since I used the hidden recipient
feature) Encrypt-then-sign on the other hand has to leak info on who
signed the message.
Of course, if you can decrypt the message you can see the encrypted
signature and verify it:
nobody@nowhere:~$ gpg --override-session-key 7:D88A707170A1171BADA5883A1085=
3987 -d < msg.asc
gpg: encrypted with RSA key, ID 00000000
<nsa slides go here>
gpg: Signature made Wed 22 Jan 2014 12:32:58 PM EST
gpg: using RSA key 2481403DA5F091FB
gpg: Good signature from "Peter Todd <pete@petertodd.org>"
gpg: aka "[jpeg image of size 5220]"
--=20
'peter'[:-1]@petertodd.org
00000000000000015cb8d314960db888ee3e884c05ccabdf1cfaccd02b57942b
--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQGrBAEBCACVBQJS4AZzXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDA4ZDg2ODkwYWM4Y2JiMDA1YWVjMmE5N2FlOWExY2ExOGRk
NjdjNGRiMWRiMDdmYjQvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuDzAf/YUJC/fhT568x1NRdUb+98/ra
KQ95k8QxQ4tSt8hoOxZaPY5+e55jlVc8JvuaYgETW9fwFsQzWU0Pi8fuowvKG5NX
02ERZoc++nGYa64zFULYehk1Mk2+qRw1uiB1aN1m858cIvymhb6U5o9QmZLrp0LP
HGcKK49NDuCamcY+uzp0PqTZKQZrufTeC3bF70rnv3lDm1jpd1MW8QTIoYuh9qeV
T4dPpLH3LY1fnIgD2fNNvi9Tvqs7kymPsVETjZ24ozQcG3YbviK4h4PZfPGloc68
41ziZiShhTXsqX+sMSwFbIUPnuEXQjeZFDmUC0P8raSyW1zdStpeWmu/2OBoBQ==
=UdrZ
-----END PGP SIGNATURE-----
--+HP7ph2BbKc20aGI--
--===============2745283093307617087==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2745283093307617087==--
