[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[Jerry Leichter]

On Jan 21, 2014, at 4:36 PM, John Kelsey wrote:
> Encrypt then sign has the big advantage that onthe receiving side, you can verify the signature before processing the ciphertext at all.  And that means you can avoid all kinds of chosen ciphertext attacks on your encryption mechanism, many of which are surprisingly effective.  (I'm thinking in terms of reaction attacks here--stuff where you mess up the last block of ciphertext, and learn something about the plaintext depending on whether your change messed up the block padding through CBC decryption.)
Verifying a signature is a fairly expensive operation, and one wonders if it, too, is subject to some kind of attack.

Perhaps the right solution is to do a MAC last - whether you do the signature or the encryption first.  A MAC is cheap to compute, cheap to check, and simple enough that you have some hope of being sure it won't information.

Or you can use a combined encryption and authentication mode.  I would think that you then want to do Sign-Then-Encrypt&Authenticate, as the outer authentication protects the inner signature from attack - but such reasoning has proved tricky and wrong in the past.
                                                        -- Jerry