[149209] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Steve Weis)
Wed Jan 22 16:38:41 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <alpine.LFD.2.11.1401221949050.2486@lap.senderek.ie>
From: Steve Weis <steveweis@gmail.com>
Date: Wed, 22 Jan 2014 13:29:38 -0800
To: Ralf Senderek <crypto@senderek.ie>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Comments below..
On Wed, Jan 22, 2014 at 10:56 AM, Ralf Senderek <crypto@senderek.ie> wrote:
> In 1996 W. Unruh explained another good reason to avoid signing ciphertext
> in his paper "PGP Attacks". Here is his reasoning.
>
> Chosen Cipertext Attack:
>
> An attacker listens in on the insecure channel in which RSA
> messages are passed. The attacker collects an encrypted message c,
> from the target (destined for some other party). The attacker wants to be able
> to read this message without having to mount a serious factoring
> effort.
> ...
> The attacker then gets the target to sign y with her private-key,
> (which actually decrypts y) and sends u=y^d mod n to the attacker. The attacker
> simply computes:
> ...
> To foil this attack do not sign some random document presented to you.
> Sign a one-way hash of the message instead.
>
> Signing ciphertext directly has long been considered to be a mortal sin.
This attack doesn't apply to standard signature algorithms, which sign
hash digests. It also assumes you use the same RSA key for signing and
encryption, which is an unsafe practice for this very reason.
I think signing ciphertexts is generally a best practice, and
certainly not a "mortal sin".
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
