Public key encrypt-then-sign or sign-then-encrypt?

[James A. Donald]

Florian Weimer wrote:
> With sign, then encrypt, it's also possible that the receiver decrypts
> the message, and then leaks it, potentially giving the impression that
> the signer authorized the disclosure.  There has been a fair bit of
> buzz about this confusion.  But the lesson from that seems to be that
> signature semantics are very hard to agree upon, and most marginally
> successful standards sidestep the issue anyway, acting as a mere
> transport protocol.

In my opinion, this is best solved by OTR style authentication without 
signing.

Ann knows that Bob sent the message, because it is authenticated, but 
cannot prove this to others.  So if Ann releases the message, it is 
*Ann* saying that Bob sent it, not Bob saying that Bob sent it.

Assume Ann's secret key is a, and her public key is A = G^a mod P

Assume Bob's secret key is b, and his public key is B = G^b mod P

Bob wants to send Ann a message.

Bob generates a secret random number x, and sends Ann X = G^x mod P

Ann responds with Y = G^y mod P, where y is another secret random number.

Ann calculates [(B*X)^(a+y)] mod P

Bob calculates [(A*Y)^(b+x)] mod P, which should be the same value Ann 
calculated

This shared secret is used to encrypt the message, and the message 
contains an authentication value constructed from the contents of the 
message and the shared secret, that only someone who knows both could 
construct.

Ann knows the message came from Bob, because only someone who knows b 
could discover the shared secret from the information exchanged, but 
cannot prove to anyone else that the message came from Bob.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com