[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

James A. Donald jamesd at echeque.com
Fri Jan 24 15:20:56 EST 2014


On 2014-01-23 18:55, Kristian Gj�steen wrote:
> 23. jan. 2014 kl. 00:05 skrev Alexandre Anzala-Yamajako <anzalaya at gmail.com>:
>
>> In the public key world, signing ciphertexts not only reveals the identity of the sender but also allow relay attacks where a guy intercepts a signed message, strips it from his signature and replaces it with its own. Depending on the protocol it can be a problem.
>
> As usual, this is a well-studied problem. You need only include the sender and recipient identities together with the message, and then EtS and StE are both secure.
>
> 	On the Security of Joint Signature and Encryption. Jee Hea An, Yevgeniy Dodis, and Tal Rabin. EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, page 83-107. Springer, (2002).
>
> Obviously they have different properties: EtS ciphertexts reveal the sender (which may be both desirable or undesirable or both), while StE ciphertexts do not (probably not sufficient on its own).
>
>> I think the encrypt-sign-encrypt solution solves both of those problems
>
> It is at best an inefficient solution. (I have not verified that it is a solution.)
>


Signing bad, except in few special cases.  Authentication good.

To encrypt, must establish a shared secret.  Derive encryption and 
authentication shared secrets, and use the authentication secret for a mac.

If need to associate ephemeral public key with sender's permanent public 
key, wrap another shared secret that involves the permanent public key 
inside the message.


More information about the cryptography mailing list