[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[Jerry Leichter]

On Jan 21, 2014, at 5:13 PM, Tony Arcieri wrote:
> I am distinguishing MACs from "signatures", as at least in my nomenclature digital signature systems are an inherently pubkey system.
MAC's and digital signature systems are different in a more fundamental way:  With a signature system, Bob can prove to anyone that a message was signed by Alice without himself being able to produce messages with Alice's signature on them.  With a MAC, Bob has everything needed to produce messages "MAC'ed" by Alice.  But that's fine, because the entire purpose of a MAC is for Bob to be able to prove *to himself* that Alice produced a message.  There's not much point in him forging a message and then proving to himself that he forged it!

While this certainly has a flavor similar to the symmetric/asymmetric system distinction, it's not quite the same thing.  DSA does signatures, but doesn't in and of itself provide an asymmetric encryption system.  And while it's much less convenient and requires a trusted third party, you can construct a signature-like system using only symmetric primitives:  The trusted third party holds the actual MAC key and will apply it for message creation only for Alice, but for anyone for message verification.  (Alice's messages to the trusted third party are MAC'ed using a key known only to the two of them; the TTP can forge messages from Alice, but we assume that away because it's *trusted*.  Similarly the TTP shares a unique key with anyone who might want a signature verification done.  Bob still can't prove to anyone else that the message was from Alice - but he can point anyone at the TTP to do it for him.)

                                                        -- Jerry