[87959] in cryptography@c2.net mail archive
Re: Public key encrypt-then-sign or sign-then-encrypt?
daemon@ATHENA.MIT.EDU (Travis H.)
Wed May 9 18:48:32 2007
Date: Wed, 9 May 2007 17:22:02 -0500
From: "Travis H." <travis+ml-cryptography@subspacefield.org>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <4639B1FE.7020706@echeque.com>
--Hw0FrjWlp+qkNlJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald wrote:
> Assume Ann's secret key is a, and her public key is A =3D G^a mod P
>=20
> Assume Bob's secret key is b, and his public key is B =3D G^b mod P
>=20
> Bob wants to send Ann a message.
>=20
> Bob generates a secret random number x, and sends Ann X =3D G^x mod P
>=20
> Ann responds with Y =3D G^y mod P, where y is another secret random numbe=
r.
>=20
> Ann calculates [(B*X)^(a+y)] mod P
This appears to simplify to:
(G^b * G^x)^(a+y) =3D (G^(b+x))^(a+y) =3D G^((b+x)(a+y))
Right?
This doesn't appear to be anything like the latest rev of the OTR protocol:
http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html
Apparently they key exchange is now a variant of the SIGMA protocol,
and relies upon the implementation to disclose MAC keys automagically
as the related session keys are destroyed/expired.
Apparently this fixes an identity-binding flaw:
http://lists.cypherpunks.ca/pipermail/otr-users/2005-July/000316.html
And this illustrates a subtlety:
> For example, if Bob thinks he's talking to Mallory, he may tell her
> something in confidence he would not want Alice to hear. Note that
> although Mallory could relate this confidential information to Alice
> herself, but in the attack scenario Alice has assurance that the
> message came from Bob rather than having to take Mallory's word for it.
Contrast this to sign-then-encrypt, where Mallory could decrypt, then
forward to Alice. Compare with encrypt-then-sign.
But it brings up an interesting point; that when a party relays a
piece of data it may not be equivalent to receiving it directly; that
is, authenticity may not be transitive.
Put another way, maybe it's not the information that matters, but who
says it. The New York Times may say that someone did XYZ, but that's
not entirely the same as the person admitting it under oath. In
international politics, many believe that admitting to having
performed some provocative action can be more provocative than
actually the action itself, even if everyone already knows who is
responsible. If you believe this, I suppose the official lie can be
said to serve the interest of both sides, as the government receiving
the provocation can allow the story to go unchallenged, and probably
not be forced into taking an overt retaliatory action. Thus it
preserves their options, and avoids forcing them into what could be a
disastrous confrontation. If they are too weak to confront the
provocateur, they aren't likely to shout this from the rooftops.
--=20
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john@subspacefield.org.
--Hw0FrjWlp+qkNlJP
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRkJJimQVZZEDJt9HAQL1oxAAqiICV/Z59s3hNP+cXhMH12wGvS9Pckgx
f4bnEREuyi0XvZKh4TR05OfUem7rtW5YSOISKa4g1C90G7PDTmzp90qM3lUeAAKf
gXc5cL9+K6rpURIHnk0gLvYOU1l15Qd6grcw7bgWb4MVu9hoqhB6UI/CZ2EEkOVU
44dzJVMGu1S9QPVzy5kfrEUFP4pqUFds1+imuSV3/du0QA1JWCNDMI1UBeKrrxcq
Eh0I9eGPeU6erQINbrKf/KytakjFVFtSTFWXz3L728bGQk468v/dpVW4PNSQS5eC
zP9INb5HDS8gGCN+CXDS6m2boDmSORBP6nkfRdnpumuJVq6EcP7st1aGoODYPNWv
rQp+WJqjwaWdZQfqKK96wkgs5rakDwQ8Cs9ztPPHZNk1x/hfuev00Pdh4Pq0kNYg
oNC1EIaG+K+hx8FMzJWD25OJFmFmOUosj3l8EUa7W22ajQITNtRUnS9dOsYUOOq7
VthHQmKnxvERmniZp0UaOeIItDT1KL6RDVYNgRyJeqTPV9mWch4VCOPRV1UB+eY0
U+SOWXKcstcDQ5bcw0SpYOkFej2BO/NmjR++PW7QulzVkOKWRvmhmvYoJxq42IvI
nffS4vLKoPTa7Jr4nJ+1F0XFZP6Eoqw+JCz1OIAPizuotvnqLqcS/JNp06POilYG
uIYj5iBaYA4=
=dceq
-----END PGP SIGNATURE-----
--Hw0FrjWlp+qkNlJP--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
