[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Steve Weis
steveweis at gmail.com
Wed Jan 22 20:13:20 EST 2014
On Wed, Jan 22, 2014 at 3:05 PM, Alexandre Anzala-Yamajako
<anzalaya at gmail.com> wrote:
>> I think signing ciphertexts is generally a best practice, and certainly not a "mortal sin".
>
> In the public key world, signing ciphertexts not only reveals the identity
> of the sender but also allow relay attacks where a guy intercepts a signed
> message, strips it from his signature and replaces it with its own.
> Depending on the protocol it can be a problem.
> I think the encrypt-sign-encrypt solution solves both of those problems
Like I said, I think encrypt-then-sign is generally a best practice
for both symmetric and public-key crypto. There are some exceptions,
but I've mainly seen those motivated by performance or legacy issues.
The relay attack you describe implies a naive verifier that doesn't
check whose key signed a message. It means the verifier accepts any
well-formed signature, regardless of the key that signed it. That
seems to defeat the purpose of signing it in the first place. If
that's the case, I don't think the proposed solution to encrypt again
actually helps.
More information about the cryptography
mailing list