[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Yuriy Kaminskiy
yumkam at gmail.com
Wed Jan 22 05:12:27 EST 2014
Jerry Leichter wrote:
> On Jan 21, 2014, at 5:13 PM, Tony Arcieri wrote:
>> I am distinguishing MACs from "signatures", as at least in my nomenclature
>> digital signature systems are an inherently pubkey system.
> MAC's and digital signature systems are different in a more fundamental way:
> With a signature system, Bob can prove to anyone that a message was signed by
> Alice without himself being able to produce messages with Alice's signature
> on them. With a MAC, Bob has everything needed to produce messages "MAC'ed"
> by Alice. But that's fine, because the entire purpose of a MAC is for Bob to
> be able to prove *to himself* that Alice produced a message. There's not
> much point in him forging a message and then proving to himself that he
> forged it!
Yet *there are*. If Bob private key leaked and he is not aware about that,
hijacker can decrypt message from Alice, change contents, and re-encrypt to Bob
it with corrected MAC, and pass it to Bob. Not possible with signed message.
> [...]
More information about the cryptography
mailing list