[149215] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Kristian_Gj=F8steen)
Thu Jan 23 12:55:04 2014
X-Original-To: cryptography@metzdowd.com
From: =?iso-8859-1?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
In-Reply-To: <CAHE9jN2vC6vQ-T0yDsjqPpB=oQ-WzBjzyNHByu5D4saJ-XgjLw@mail.gmail.com>
Date: Thu, 23 Jan 2014 09:55:22 +0100
To: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
23. jan. 2014 kl. 00:05 skrev Alexandre Anzala-Yamajako <anzalaya@gmail.com=
>:
> In the public key world, signing ciphertexts not only reveals the identit=
y of the sender but also allow relay attacks where a guy intercepts a signe=
d message, strips it from his signature and replaces it with its own. Depen=
ding on the protocol it can be a problem.
As usual, this is a well-studied problem. You need only include the sender =
and recipient identities together with the message, and then EtS and StE ar=
e both secure.
On the Security of Joint Signature and Encryption. Jee Hea An, Yevgeniy Do=
dis, and Tal Rabin. EUROCRYPT, volume 2332 of Lecture Notes in Computer Sci=
ence, page 83-107. Springer, (2002).
Obviously they have different properties: EtS ciphertexts reveal the sender=
(which may be both desirable or undesirable or both), while StE ciphertext=
s do not (probably not sufficient on its own).
> I think the encrypt-sign-encrypt solution solves both of those problems
It is at best an inefficient solution. (I have not verified that it is a so=
lution.)
-- =
Kristian Gj=F8steen
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
