[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

Jon Callas jon at callas.org
Sat Jan 25 18:43:34 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jan 21, 2014, at 2:29 PM, Dominik Schürmann <dominik at dominikschuermann.de> wrote:

> * PGP Signed by an unknown key
> 
> Hey,
> 
> I am also very much interested in an answer to this question. Just read
> http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html .
> 
> Has there been progress from 2001 to today in OpenPGP's standard
> regarding this problem?

What do you mean by "progress"?

Lots of people in the security world wake up one day to a surprise and convince themselves that it's a bug.

Let's call this the same thing we used to -- which is the question of whether a signature should be inside "the envelope" (meaning the encrypted part) or outside the envelope.

As Derek pointed out, the strict syntax of OpenPGP permits either. However, most (all?) software puts the signature inside the envelope. It's likely an option in GnuPG because they're good about implementing all legal syntactic possibilities.

The major reason for a signature inside the envelope is that if the signature is on the outside, it cryptographically states to a passive observer that Alice is talking to Bob. It makes anonymous remailers and other things harder to do or impossible. The reasons for putting the signature in the envelope is to reduce the threat of traffic analysis.

PEM put the signature outside the envelope and *only* permitted it outside the envelope. At the time, there were plenty of dark things said about this. Similarly to today and a number of protocols, PEM was looked at as tantamount to insecure by design, and if there was a drawback in anything PEM did, many people considered it an unmitigated, intentional flaw.

There's no single answer here. Either side has plusses and minuses. I think that overall, you want the signature on the inside of the envelope and that has the drawback that you can send a decrypted signed plaintext message to third parties. I view that as a relatively small drawback. There is a difference between a surveillance system and a betrayal. Security can't stop a betrayal.

But -- I do see the other side. I just disagree.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1

wj8DBQFS5E79sTedWZOD3gYRAgmwAKDhEjsfvYRIhIDaA+2vkFezMtzs6gCbBtMh
7Ed54LJdeHdMeiX1jiJtZFY=
=g1xX
-----END PGP SIGNATURE-----

More information about the cryptography mailing list