[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Ralf Senderek
crypto at senderek.ie
Wed Jan 22 13:56:00 EST 2014
Peter Todd wrote:
> GnuPG at least does sign-then-encrypt, and for good reason.
...
> Minimum possible information leakage; you know nothing at all about the
> sender. (or the intended receiver since I used the hidden recipient
> feature) Encrypt-then-sign on the other hand has to leak info on who
> signed the message.
In 1996 W. Unruh explained another good reason to avoid signing ciphertext
in his paper "PGP Attacks". Here is his reasoning.
Chosen Cipertext Attack:
An attacker listens in on the insecure channel in which RSA
messages are passed. The attacker collects an encrypted message c,
from the target (destined for some other party). The attacker wants to be able
to read this message without having to mount a serious factoring
effort.
In other words, she wants m=c^d.
To recover m, the attacker first chooses a random number, r < n. (The
attacker has the public-key (e,n).) The attacker computes:
x=r^e mod n (She encrypts r with the target's public-key)
y=xc mod n (Multiplies the target ciphertext with the temp)
t=r^-1 mod n (Multiplicative inverse of r mod n)
The attacker counts on the fact that:
If x=r^e mod n, Then r=x^d mod n
The attacker then gets the target to sign y with her private-key,
(which actually decrypts y) and sends u=y^d mod n to the attacker. The attacker
simply computes:
tu mod n = (r^-1)(y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n = m
To foil this attack do not sign some random document presented to you.
Sign a one-way hash of the message instead.
Signing ciphertext directly has long been considered to be a mortal sin.
-- ralf
More information about the cryptography
mailing list