[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
James A. Donald
jamesd at echeque.com
Tue Jan 21 20:56:23 EST 2014
Since one does not want contact tracing, why make it easier by exposing
your durable public key on the outside?
Append your durable public key to message plaintext, or append an
identifier from which your public key can be located. Mac the plaintext
message with a shared secret created from your durable secret key and
the recipient's durable public key. (This form of signing proves to the
recipient that a person with your secret key signed the message, but
does not enable him to prove that to anyone else)
Create a transient secret key and corresponding transient public key.
Create a transient shared secret from the transient secret key and the
recipient's durable public key.
Using the transient shared secret, symmetrically encrypt then Mac, or
perhaps use an authenticated block encryption mode.
Append the symmetrically encrypted and maced message to the transient
public key, and send it.
Recipient derives the same transient shared secret from his durable
secret key and the transient public key, (which is why we call that
secret "shared") then checks the mac, then decrypts. After decryption,
checks the signature, the inner mac.
More information about the cryptography
mailing list