[149214] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (ianG)
Thu Jan 23 12:53:54 2014
X-Original-To: cryptography@metzdowd.com
Date: Thu, 23 Jan 2014 11:47:42 +0300
From: ianG <iang@iang.org>
To: Alexandre Anzala-Yamajako <anzalaya@gmail.com>,
Steve Weis <steveweis@gmail.com>
In-Reply-To: <CAHE9jN2vC6vQ-T0yDsjqPpB=oQ-WzBjzyNHByu5D4saJ-XgjLw@mail.gmail.com>
Cc: Ralf Senderek <crypto@senderek.ie>,
Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 23/01/14 02:05 AM, Alexandre Anzala-Yamajako wrote:
> I think signing ciphertexts is generally a best practice, and
>
>> certainly not a "mortal sin".
>>
>
> In the public key world, signing ciphertexts not only reveals the identity
> of the sender but also allow relay attacks where a guy intercepts a signed
> message, strips it from his signature and replaces it with its own.
> Depending on the protocol it can be a problem.
> I think the encrypt-sign-encrypt solution solves both of those problems
Even better, the anon-MAC(encrypt(sign(content))) solution.
The problem is the hammer of digsigs; auth and auth and ID all look
like nails.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
