[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
Kristian Gjøsteen
kristian.gjosteen at math.ntnu.no
Thu Jan 23 03:55:22 EST 2014
23. jan. 2014 kl. 00:05 skrev Alexandre Anzala-Yamajako <anzalaya at gmail.com>:
> In the public key world, signing ciphertexts not only reveals the identity of the sender but also allow relay attacks where a guy intercepts a signed message, strips it from his signature and replaces it with its own. Depending on the protocol it can be a problem.
As usual, this is a well-studied problem. You need only include the sender and recipient identities together with the message, and then EtS and StE are both secure.
On the Security of Joint Signature and Encryption. Jee Hea An, Yevgeniy Dodis, and Tal Rabin. EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, page 83-107. Springer, (2002).
Obviously they have different properties: EtS ciphertexts reveal the sender (which may be both desirable or undesirable or both), while StE ciphertexts do not (probably not sufficient on its own).
> I think the encrypt-sign-encrypt solution solves both of those problems
It is at best an inefficient solution. (I have not verified that it is a solution.)
--
Kristian Gjøsteen
More information about the cryptography
mailing list