[87420] in cryptography@c2.net mail archive
Re: Public key encrypt-then-sign or sign-then-encrypt?
daemon@ATHENA.MIT.EDU (James A. Donald)
Fri May 4 09:52:42 2007
Date: Thu, 03 May 2007 19:57:18 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <878xc730w9.fsf@mid.deneb.enyo.de>
Florian Weimer wrote:
> With sign, then encrypt, it's also possible that the receiver decrypts
> the message, and then leaks it, potentially giving the impression that
> the signer authorized the disclosure. There has been a fair bit of
> buzz about this confusion. But the lesson from that seems to be that
> signature semantics are very hard to agree upon, and most marginally
> successful standards sidestep the issue anyway, acting as a mere
> transport protocol.
In my opinion, this is best solved by OTR style authentication without
signing.
Ann knows that Bob sent the message, because it is authenticated, but
cannot prove this to others. So if Ann releases the message, it is
*Ann* saying that Bob sent it, not Bob saying that Bob sent it.
Assume Ann's secret key is a, and her public key is A = G^a mod P
Assume Bob's secret key is b, and his public key is B = G^b mod P
Bob wants to send Ann a message.
Bob generates a secret random number x, and sends Ann X = G^x mod P
Ann responds with Y = G^y mod P, where y is another secret random number.
Ann calculates [(B*X)^(a+y)] mod P
Bob calculates [(A*Y)^(b+x)] mod P, which should be the same value Ann
calculated
This shared secret is used to encrypt the message, and the message
contains an authentication value constructed from the contents of the
message and the shared secret, that only someone who knows both could
construct.
Ann knows the message came from Bob, because only someone who knows b
could discover the shared secret from the information exchanged, but
cannot prove to anyone else that the message came from Bob.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
