PlayStation 3 predicts next US president

Ian G iang at systemics.com
Thu Dec 6 10:26:48 EST 2007 

dan at geer.org wrote:
> If on the one hand, the correct procedure is sign-encrypt-sign,
> then why, on the other hand, is the parallel not sign-hash-sign ?

What is "correct" depends on requirements and semantics, and 
neither is well addressed in that paper nor in standards, 
w.r.t. email and signing.

https://financialcryptography.com/mt/archives/000905.html

Ditto, in terms of your question.

As an example (Ricardian Contract [1]), we might say that a 
signed contract is done as

    hash-digsig-hash

[2] With this procedure, the first hash-digsig is a human 
signing (classical cleartext openpgp signature) and the last 
hash is a signature that causes sharing of the exact 
document [3].


iang



[1] To complete the picture, even this evidence is 
distributed by means of transactions over the document;  to 
be extreme, the end result is this:

     hash-digsig(hash-digsig(hash-digsig-hash))

[2] a public key signature is normally done hash-digsig, 
right?  So your sign-hash-sign might really be:

     hash-digsig-hash-hash-digsig

but that's a guess.

[3] http://iang.org/papers/ricardian_contract.html




> --dan
> 
> =============
> 
> http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
> 
> Donald T. Davis, "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
> PGP, and XML.", Proc. Usenix Tech. Conf. 2001 (Boston, Mass., June
> 25-30, 2001), pp. 65-78.(180 Kbytes) (PDF, 200 Kbytes) (HTML, 80 Kbytes)
> 
> Summary of the paper.
> 
> Abstract: 
> Simple Sign & Encrypt, by itself, is not very secure. Cryptographers
> know this well, but application programmers and standards authors still
> tend to put too much trust in simple Sign-and-Encrypt. In fact, every
> secure e-mail protocol, old and new, has codified naïve Sign &
> Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP,
> PEM, and MOSS all suffer from this flaw. Similarly, the secure document
> protocols PKCS#7, XML- Signature, and XML-Encryption suffer from the
> same flaw. Naïve Sign & Encrypt appears only in file-security and
> mail-security applications, but this narrow scope is becoming more
> important to the rapidly-growing class of commercial users. With file-
> and mail-encryption seeing widespread use, and with flawed encryption in
> play, we can expect widespread exposures.
> 
> In this paper, we analyze the naïve Sign & Encrypt flaw, we
> review the defective sign/encrypt standards, and we describe a
> comprehensive set of simple repairs. The various repairs all have a
> common feature: when signing and encryption are combined, the inner
> crypto layer must somehow depend on the outer layer, so as to reveal any
> tampering with the outer layer.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list