[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
John Kelsey
crypto.jmk at gmail.com
Tue Jan 21 16:36:30 EST 2014
Encrypt then sign has the big advantage that onthe receiving side, you can verify the signature before processing the ciphertext at all. And that means you can avoid all kinds of chosen ciphertext attacks on your encryption mechanism, many of which are surprisingly effective. (I'm thinking in terms of reaction attacks here--stuff where you mess up the last block of ciphertext, and learn something about the plaintext depending on whether your change messed up the block padding through CBC decryption.)
--John
More information about the cryptography
mailing list