[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Tony Arcieri
bascule at gmail.com
Tue Jan 21 17:13:40 EST 2014
On Tue, Jan 21, 2014 at 1:36 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> Encrypt then sign has the big advantage that onthe receiving side, you can
> verify the signature before processing the ciphertext at all. And that
> means you can avoid all kinds of chosen ciphertext attacks on your
> encryption mechanism, many of which are surprisingly effective.
Using a symmetric MAC would accomplish the same thing, and can be combined
with public key cryptography using (EC)IES-style schemes. This is, IMO, the
best way to go, and the sort of scheme used by e.g. NaCl's crypto_box
primitive.
I am distinguishing MACs from "signatures", as at least in my nomenclature
digital signature systems are an inherently pubkey system. There are also
"signcryption" systems that combine public key cryptography with digital
signatures, such as RSA-PSSR (although these schemes are somewhat limited
in their usefulness, IMO)
The purpose of using a digital signature in addition to a symmetric MAC is
identity verification of the sender.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140121/c94c5fef/attachment.html>
More information about the cryptography
mailing list