Super-Encryption
Amir Herzberg
amir at herzberg.name
Wed Dec 17 09:54:05 EST 2003
Matt, in your note below you explained finally what you really want: a
secure combination of encryption and signature. I explain below why your
current scheme is insecure. There are simple secure designs. With Yitchak
Gertner, a student, we recently proved security of one such practical
design, which is essentially Sign_sender ( Encrypt_RSA_receiver (message),
PublicKey_receiver). I've just uploaded the draft journal version to
http://eprint.iacr.org/ so you should be able to see it in a day or so
(comments very welcome as I want to finish and submit it to journal soon).
Your scheme is using the Sign-then-Encrypt order, which may not be secure
for some (possibly weird) encryption schemes, although may be secure
standard schemes such as RSA (but I don't think this was proven yet). But
as I mentioned, your specific scheme is definitely insecure, details below.
Best regards,
Amir Herzberg
Computer Science Department, Bar Ilan University
Lectures: http://www.cs.biu.ac.il/~herzbea/book.html
Homepage: http://amir.herzberg.name
At 16:25 15/12/2003, Matt wrote:
>Quoting Ben Laurie <ben at algroup.co.uk>:
>
> > I don't see any value added by cipher1 - what's the point?
>
>The message is encrypted, i.e, cipher1, then cipher1 is encrypted yeilding
>cipher2.
>
>Since symmetric_key1 of cipher1 is RSA_Encrypt(sender's private key), access
>to sender's public key can decrypt cipher1(must be *this* sender).
So (as I said before...) here you are trying to authenticate the sender -
using RSA to sign, not to encrypt. I again suggest you use the right
terminology i.e. call is a signature (since this is what you do!). Notice
also that for secure usage, there may be some small differences in the
preprocessing for encryption vs. for signature with RSA.
And I believe you didn't understand (and answer) Ben's point. I'll try to
clarify. Here's the sequence you suggested:
>(1) Encrypt message with symmetric key algorithm, i.e., cipher1
That's the part that appears unnecessary.
>(2) RSA_Encrypt (SHA1(message) + symmetric key) with sender's RSA private key
This is where you actually mean RSA_Sign. And why sign `symmetric key` ?
Since the attacker will know this key, why not simply sign just `message`
(or SHA1(message) if you want... normally we consider hashing as part of
the signature process, i.e. I'll prefer to write Sign_RSA_SHA1(message)).
>(3) Encrypt cipher1 with symmetric key algorithm, i.e., cipher2
So here one would expect you to simply encrypt the message, i.e.
cipher2=AES_symmkey2(message); Ben asks (and I agree), what gain do you
have by encrypting cipher2? As I mentioned, one could hope for gain in
confidentiality, e.g. when using different encryption schemes, but not when
the first key (`symmetric key`) is revealed as in your protocol...
>(4) RSA_Encrypt (symmetric key2) with receiver's RSA public key
So steps 3 and 4 are `classical` hybrid encryption of cipher1. Hybrid
encryption is a standard technique so I prefer to write it as one step,
i.e. Encrypt_RSA_AES_receiverPK(message), or in your
case, Encrypt_RSA_AES_receiverPK(cipher1).
>(5) Send super-encrypted message
Woops! what does the message consist of ? It is quite clear from the steps
above and below (omitted), that it contains both
cipher2=Encrypt_RSA_AES_receiverPK(cipher1) and also RSA_Sign_sender
(SHA1(message) + symmetric key). Now this is a good example of why it is
good NOT to confuse signature with encryption... since it is quite obvious
that the attacker gets to see SHA1(message). This is not desirable. First
of all, SHA1 (or any hash) is not required to preserve complete
confidentiality (e.g. in the standard, the goal is only stated as being a
one-way function). So attacker may be able to learn something about message
from SHA1(message). As a practical example, suppose there is a very small
set of possible messages, say `buy XXX for YYY' where XXX, YYY are from
relatively small sets. Then clearly the attacker can simply compute
SHA1(m') for all possible messages m' and identify the message sent. So
this is a real possible exposure to confidentiality.
Also, you wrote...
>Since symmetric_key2 of cipher2 is RSA_Encrypt(receiver's public key), only
>the receiver can decrypt cipher2.
>
>As was pointed out to me, the process of decrypting cipher2, yields an
>encrypted message, i.e., cipher1, that can forwarded on behalf of the
>original
>sender. This is not necessarily undesirable. However, SHA1(message) is to
>ensure that cipher1 has not be altered in transport. Therefore, the receiver
>knows three items.
>(1) The sender who originated the message.
>(2) The receiver is the intended receiver.
This (item 2) is not correct. The message may have been sent to Eve (and
encrypted using Eve's public key), but then Eve re-encrypted symmetric key
2 (or cipher1 itself) with the public key of another party say Bob, and
sent the message to Bob; Bob has no way of knowing that the intended
receiver (by the original sender) was Eve.
>(3) The message was not altered during transport.
>
>Thx,
>
>-Matt
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list