[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[Peter Todd]

On Tue, Jan 21, 2014 at 01:48:21PM -0500, Derek Atkins wrote:
> Hi,
> 
> On Tue, January 21, 2014 11:01 am, Stephan Neuhaus wrote:
> > Dear list,
> >
> > I'll be darned if I can find in RFC4880 how to do both encryption and
> > signature in OpenPGP.  Knowing that both naively doing sign-then-encrypt
> > and encrypt-then-sign have their problems, surely it can't be that,
> > right?  So what *is* actually happening in OpenPGP?  And where does it
> > say that in the RFC?
> 
> The RFC does not specify, because protocol-wise both are valid.  You could
> do either sign-then-encrypt or encrypt-then-sign, and PGP validators
> should handle either order of packet nesting.  The more appropriate
> question would be: what do the various OpenPGP implementations do by
> default, and that I cannot answer for you

GnuPG at least does sign-then-encrypt, and for good reason.  Consider
the following encrypted message:

-----BEGIN PGP MESSAGE-----

hQEMAwAAAAAAAAAAAQf8CXKxaq6tA8/QiKVH9+87pu8I4LNXR0G51sX6McXE5/pD
dOKcGK7R+frtZ3qatfxwxzOO5yH+WfROlUM+DDMMkx07wnDM53s5+FH6zx0Fy9WN
6aZt7W5z/sWHM1OXHHn/65I9gbOc5Mn83x+K2cavIvMBjA+PFM+ltQcVChHc9IEx
Nfopn/O20bphcyKzvASNNnmBRjwZ/ElKOv683Dp9rgWmOQzZOdv3APE8xDl6SsLV
7Pe8iB/BowEY4socz6XO9GXAoTscskPuBFl29crb5gLjAJCPTEFDxOqJjt8qatys
7rh0gd4IFNDnzq4oDs6ZUoPqNOYBNIb2EQvZN8MKy9LpAcAkRv2iPdtXWcA7IzbJ
KPPQhO+KlX32UywR+6jZ8PtXPV4XpwUEk4pc1VNCIxkrs07Qsoo8hcxkeQmH2/4n
yaZNP3wdApasY779mq/u3oJSavzy66f//Yf3Kr0zO0AVOr7zNfVecc82D+fwPeM5
bH66p84bXph+7wy011T61v+gS/hKdJVvtsc6/G6lmvdxBQeTBtd2wIxoz9OaQyhb
pXz8/DDKtrnuPDUYI0bH2rzwvxj+YIACqEk/jgVvEDFigWGYwba70RpdVSZFLPUB
LQZ6f/KOfTsHloSyFkFN2wpB5qkI0fXqiCqozGh0UNO8N2M4JaXLdtWyoJbNuhOp
H38tY62+FW0ZMjYg97kmceV+4tWLrKYaXyCbQLrSuJkGGKFEiBUL7zWtwSbQEaXN
/PlbW5nHUiwAt47KTKLH2cFSzVGETMv0tmNfcXXwHDSozsgX2fL+STo50pMVEozj
zZOxE0tx+VeQfu8O5DhN7rfsVvCJBaiUU0RAVFKfjcWStY9t4gtGdZU+miGMNJpK
H0SewSLo7KqWM0nmHo8BkKhQ/A6Od5HKcLtov/R3mgw3zczEepcqXjmZkLuzbpGs
LYBROmVX0ofasQa5EErl62TnbavgssA0U7VAHtXxLDz9iBegtjjKBoLoNIWdMi4G
Dm5DNiBWNZFVW9o3BmQ6SlmC/QQC6JqWFi585QyRfWJ2eSXJtqrkFuyu5uwGhKp3
BFVEF8tm61rNTp8Dt3qUGrEbNXhURXuw/2xXkG7DxfFHMlyY3TZ7PsBfP6PQYxv5
rSxFc3NT53H3xf1jO+fXBYTLn4B7J8T186un34uaXkCe5Nm+kCdVKnCwsfIl5eSy
q+Ff6w==
=bvhY
-----END PGP MESSAGE-----

If you try to decrypt it:

nobody at nowhere:~$ gpg -d < msg.asc
gpg: encrypted with RSA key, ID 00000000
gpg: decryption failed: secret key not available

Minimum possible information leakage; you know nothing at all about the
sender. (or the intended receiver since I used the hidden recipient
feature) Encrypt-then-sign on the other hand has to leak info on who
signed the message.

Of course, if you can decrypt the message you can see the encrypted
signature and verify it:

nobody at nowhere:~$ gpg --override-session-key 7:D88A707170A1171BADA5883A10853987 -d < msg.asc
gpg: encrypted with RSA key, ID 00000000
<nsa slides go here>
gpg: Signature made Wed 22 Jan 2014 12:32:58 PM EST
gpg:                using RSA key 2481403DA5F091FB
gpg: Good signature from "Peter Todd <pete at petertodd.org>"
gpg:                 aka "[jpeg image of size 5220]"

-- 
'peter'[:-1]@petertodd.org
00000000000000015cb8d314960db888ee3e884c05ccabdf1cfaccd02b57942b
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140122/a3d1fcfd/attachment.pgp>