Public key encrypt-then-sign or sign-then-encrypt?
Travis H.
travis+ml-cryptography at subspacefield.org
Wed May 9 11:36:30 EDT 2007
On Wed, May 02, 2007 at 09:29:39AM -0600, Anne & Lynn Wheeler wrote:
> where there is possibly the suggestion that if the only thing being
> performed
> is authentication (and doesn't require either integrity and/or privacy) ...
> then possibly a totally different protocol by utilized (rather than
> digital signature)
This reminds me a bit of a suggestion I once heard for protocol
designers that the messages of the various steps of the protocol
include a step number or something like it to prevent cut-and-paste
attacks (presumably each message has some redundancy to protect the
integrity/authenticity as well, like a running hash covering all the
previous messages (in this direction)).
I wonder if something similar couldn't be done with digital
signatures, where the input is padded with data that indicates the
semantics of the signature; not unlike the forms which say "by signing
here I agree that..."
This also makes it very difficult for the opponent to do any kind
of chosen-plaintext trickery since the plaintext will be framed
with this data that the opponent does not control, but that is
also true with other padding options and such.
--
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john at subspacefield.org.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070509/744d10d8/attachment.pgp>
More information about the cryptography
mailing list