[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Steve Weis
steveweis at gmail.com
Wed Jan 22 16:29:38 EST 2014
Comments below..
On Wed, Jan 22, 2014 at 10:56 AM, Ralf Senderek <crypto at senderek.ie> wrote:
> In 1996 W. Unruh explained another good reason to avoid signing ciphertext
> in his paper "PGP Attacks". Here is his reasoning.
>
> Chosen Cipertext Attack:
>
> An attacker listens in on the insecure channel in which RSA
> messages are passed. The attacker collects an encrypted message c,
> from the target (destined for some other party). The attacker wants to be able
> to read this message without having to mount a serious factoring
> effort.
> ...
> The attacker then gets the target to sign y with her private-key,
> (which actually decrypts y) and sends u=y^d mod n to the attacker. The attacker
> simply computes:
> ...
> To foil this attack do not sign some random document presented to you.
> Sign a one-way hash of the message instead.
>
> Signing ciphertext directly has long been considered to be a mortal sin.
This attack doesn't apply to standard signature algorithms, which sign
hash digests. It also assumes you use the same RSA key for signing and
encryption, which is an unsafe practice for this very reason.
I think signing ciphertexts is generally a best practice, and
certainly not a "mortal sin".
More information about the cryptography
mailing list