[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

Phillip Hallam-Baker hallam at gmail.com
Tue Jan 21 17:28:24 EST 2014


On Tue, Jan 21, 2014 at 4:36 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> Encrypt then sign has the big advantage that onthe receiving side, you can
> verify the signature before processing the ciphertext at all.  And that
> means you can avoid all kinds of chosen ciphertext attacks on your
> encryption mechanism, many of which are surprisingly effective.  (I'm
> thinking in terms of reaction attacks here--stuff where you mess up the
> last block of ciphertext, and learn something about the plaintext depending
> on whether your change messed up the block padding through CBC decryption.)
>

I think we need to consider the whole email infrastructure these days. In
particular we have DKIM now which we didn't before.

So my preference would be,

Let m be the initial message, ks be the personal signature key of the
sender, kr be the personal encryption key of the receiver, kd the dkim
server signature key

DKIM:  Sign (body, kd)
..

body = E ( m + Sign (m, ks), kr )

The DKIM signature should be sufficient for anti-spam control purposes
which should be all the receiver requires in order to decide whether it is
worth spending effort to decrypt.

Of course the scheme can be improved considerably if the encryption format
allows the content and the signature(s) to be encrypted separately. In that
case we can construct a signature over the encrypted and unencrypted data
in one go.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140121/64139c2f/attachment.html>


More information about the cryptography mailing list