[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

Peter Todd pete at petertodd.org
Sun Jan 26 17:44:12 EST 2014 

On Mon, Jan 27, 2014 at 08:11:16AM +1000, James A. Donald wrote:
> On 2014-01-27 07:39, Peter Todd wrote:
> >I personally have made use of sign-then-encrypt by signing a
> >confidential security audit, encrypting it to the client, and telling
> >them how they can use the --override-session-key feature of GPG to later
> >release my report after the client had fixed the issues.
> 
> In such special cases you want to sign.
> 
> You seldom want to sign, you always want to authenticate.
> Using signatures for authentication is a security flaw.
> 
> So, by default, a secure communication system should always
> authenticate by default, and check authentication by default, and
> never sign by default.
> 
> Authentication should always be checked, and if authentication is
> not present, the recipient's system should silently ignore the
> message. Signatures should be checked, and the user notified if the
> signature fails.  However the recipient system should not expect a
> signature.
> 
> The simplest way to do this is for signature, if present, to be
> present in addition to authentication, even though it can substitute
> for authentication.

You're making a lot of assumptions about what users actually need. You
are also forgetting that the most important thing a security system can
do is communicate accurately to those users about what guarantees it
actually provides so they can make that decision for themselves.

What's interesting is that in the real world message contents are
generally regarded as sufficient basis for non-repudation anyway; if a
message lacks a cryptographic signature courts and public opinion are
quite happy to take other evidence into consideration. OTR has had to
work against that perception by creating concrete, usable, tools to
forge chat transcripts. OTR also uses quite different terminology that
GnuPG does - in particular the way the encryption/authentication is
presented to the user is to say the *chat* is being protected.

GnuPG using applications - such as Mutt, don't do that. For example
here's how Mutt presents another email I have in my inbox:

Date: Mon, 20 Jan 2014 23:30:10 +0200
From: John Smith <john.smith at gmail.com>
To: Peter Todd <pete at petertodd.org>
Subject: FooBar design review
X-Mailer: Evolution 3.4.4-3

[-- PGP output follows (current time: Sun 26 Jan 2014 05:17:12 PM EST) --]
[-- End of PGP output --]

[-- The following data is PGP/MIME encrypted --]

[-- PGP output follows (current time: Sun 26 Jan 2014 05:17:12 PM EST) --]
gpg: Signature made Mon 20 Jan 2014 04:30:10 PM EST
gpg:                using RSA key 1234567890ABCDEF
gpg: Good signature from "John Smith <john.smith at gmail.com>"
[-- End of PGP output --]

[-- The following data is signed --]

<snip>

[-- End of signed data --]

[-- End of PGP/MIME encrypted data --]

This is actually a pretty good UI that communications what is actually
happening well. It clearly shows that the encryption acts as a
container, and the signed data is within that secure container. The
signed part clearly states it's a signature and that the signature comes
from a specific person.

With some thought a layman with some knowledge of how cryptography works
could reasonably come to the correct conclusion that the email could be
decrypted and the inner, signed, message distributed separately with
non-repudiation. Mutt also correctly made clear that the Subject: and
other header data was not data that was either signed or encrypted.

A encryption/authentication system providing guarantees closer to what
OTR does would have to present things quite differently, especially in
the multi-party case:

Date: Mon, 20 Jan 2014 23:30:10 +0200
From: John Smith <john.smith at gmail.com>
To: Peter Todd <pete at petertodd.org>
Cc: Alice Jones <alice.jones at fbi.gov>
Subject: FooBar design review
X-Mailer: Evolution 3.4.4-3

[-- The following data is OTR protected --]

[-- OTR output follows --]
otr: Secure conversation between "John Smith <john.smith at gmail.com>",
otr:                             "Peter Todd <pete at petertodd.org>",
otr:                             "Alice Jones <alice.jones at fbi.gov>"
otr: WARNING: The following text may have come from any one of those
otr:          participants!
[-- End of OTR output --]

<snip>

[-- End of OTR protected data --]

For a durable, non-interactive, medium like email I suspect users are
much less likely to correctly understand exactly what is being
guaranteed. The idea that you can have a conversation where any
participant in that conversation can impersonate another just doesn't
map to real-world experience, especially one that isn't real-time. The
GnuPG guarantees on the other hand map really well to real-world sealed
envelope and signed letter analogies.

-- 
'peter'[:-1]@petertodd.org
0000000000000000341e18387d3c81fe83fe0f9498b731a712bb787bc75193db
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140126/4952a83a/attachment.pgp>

More information about the cryptography mailing list