Public key encrypt-then-sign or sign-then-encrypt?
Anne & Lynn Wheeler
lynn at garlic.com
Wed May 2 11:29:39 EDT 2007
Florian Weimer wrote:
> With sign, then encrypt, it's also possible that the receiver decrypts
> the message, and then leaks it, potentially giving the impression that
> the signer authorized the disclosure. There has been a fair bit of
> buzz about this confusion. But the lesson from that seems to be that
> signature semantics are very hard to agree upon, and most marginally
> successful standards sidestep the issue anyway, acting as a mere
> transport protocol.
re:
http://www.garlic.com/~lynn/aadsm26.htm#62 Public key encrypt-then-sign or sign-then-encrypt?
http://www.garlic.com/~lynn/aadsm26.htm#63 Public key encrypt-then-sign or sign-then-encrypt?
there is the issue for some kinds of operations of having integral authentication
and integrity .... or integral authentication and privacy ... or integral
privacy and integrity.
so there is the whole issue of semantic confusion with the term digital
signature .... because it contains the word "signature" ... leading to
confusion that it might somehow be related to human signature ... aka
things like intent and a human having read, understood, approves, agrees,
and/or authorizes.
on the other hand ... digital signatures can get into various kinds of
dual-use attacks ... when the same private key is being used in a purely
authentication protocol (server sends random data to be digitally
signed ... as countermeasure to replay attack) ... and also in a
authentication+integrity protocol ... where the contents being digitally
signed is presumed to carry some sort of meaning (and that a digital
just happens to be performed ... carries some additional implication
other than authentication+integrity).
there is this slightly x-over thread from sci.crypt
http://www.garlic.com/~lynn/2007i.html#63 public key password authentication
http://www.garlic.com/~lynn/2007i.html#73 public key password authentication
http://www.garlic.com/~lynn/2007i.html#74 public key password authentication
where there is possibly the suggestion that if the only thing being performed
is authentication (and doesn't require either integrity and/or privacy) ...
then possibly a totally different protocol by utilized (rather than
digital signature) ... to help minimize the apparent extensive (human)
confusion where the same technology might be used for both authentication
only operations as well as authentication plus integrity operations
(and where having the word "signature" in the term also appears to
contribute significant additional confusion).
however, in the x-over thread from sci.crypt ... i mention that if
both authentication and integrity are both required ... that potentially
if they are done as separate operation ... that there can be (security)
openings provided to attackers for things like man-in-the-middle attacks.
in the "naked" transaction metaphor mentioned in these postings
http://www.garlic.com/~lynn/subintegrity.html#payments
it is possible that if authentication is performed separately from any
integrity provisions applied to the actual transactions ... that it may
be an opening for a man-in-the-middle attack (or other kinds of attacks)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list