[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

Jerry Leichter leichter at lrw.com
Thu Jan 23 09:31:27 EST 2014 

On Jan 22, 2014, at 5:12 AM, Yuriy Kaminskiy <yumkam at gmail.com> wrote:
>>> I am distinguishing MACs from "signatures", as at least in my nomenclature
>>> digital signature systems are an inherently pubkey system.
>> MAC's and digital signature systems are different in a more fundamental way:
>> With a signature system, Bob can prove to anyone that a message was signed by
>> Alice without himself being able to produce messages with Alice's signature
>> on them.  With a MAC, Bob has everything needed to produce messages "MAC'ed"
>> by Alice.  But that's fine, because the entire purpose of a MAC is for Bob to
>> be able to prove *to himself* that Alice produced a message.  There's not
>> much point in him forging a message and then proving to himself that he
>> forged it!
> 
> Yet *there are*. If Bob private key leaked and he is not aware about that,
> hijacker can decrypt message from Alice, change contents, and re-encrypt to Bob it with corrected MAC, and pass it to Bob. Not possible with signed message.
Let's see if I understand the attack you're describing:  No one uses asymmetric crypto for bulk encryption for many very good reasons, so Alice and Bob share a symmetric key K that Alice uses to encrypt messages to Bob.  They also share a MAC key K' that Alice uses to compute MAC's on messages sent to Bob.  If Charles gets is hands on both K and K', yes, he can synthesize messages to Bob that Bob will accept as genuine.  (He can also intercept messages from Alice to Bob and read them, but he doesn't need to do that to send his own messages.)

If Alice instead signs here messages using an asymmetric system with private key P_A, Charles will need to get hold of K and P_A.  Granted, Charles can get both K and K' from Bob, but he can only get P_A from Alice.  But is this really enough of a difference to matter?  At least K' is per-session; if the per-session keys are chosen correctly, it will become worthless when the next session starts.  P_A, on the other hand, is a long-term secret.  If Alice loses it, she'd better hope that she (a) finds out quickly; (b) has access to an actual working key revocation system.

BTW, one might argue that using a combined encryption/authentication mode is less secure because then effectively K == K'.  But again, is it really all that different?  If you can't keep your session keys secure, you're dead.

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140123/89a700cd/attachment.bin>

More information about the cryptography mailing list