[Cryptography] Rescuing Encrypt-then-Sig
Jerry Leichter
leichter at lrw.com
Mon Aug 20 01:50:31 EDT 2018
>> ....This violates a layering
>> principle in which data is only exposed to a device that contains a
>> private key AFTER we know it doesn't come from a malicious source.
> It seems to me that the incessant sign/encrypt vs encrypt/sign debate
> happens because there are a couple of different purposes being served
> here, and that the correct answer might be to use cryptographic
> operations to explicitly perform both of them.
>
> Is there a fundamental problem that's a GOOD reason why everybody isn't
> using
>
> encrypt(privacy of message) /
> sign (authentication of encrypted message) /
> encrypt(privacy of encrypted signature and message)
This has exactly the problem the original poster set out to solve: You have to decrypt a message whose provenance you can't be sure of.
It's certainly true that *if the message was actually produced using E/S/E*, then the contents of the inner message are essentially random. But that's hardly something an attacker who is going after a vulnerability in the decryption engine (like the recently described, though very old, problems in PGP) has to do....
-- Jerry
More information about the cryptography
mailing list