[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[ianG]

On 27/01/14 01:44 AM, Peter Todd wrote:

> You're making a lot of assumptions about what users actually need.
> You are also forgetting that the most important thing a security
> system can do is communicate accurately to those users about what
> guarantees it actually provides so they can make that decision for
> themselves.


That is a flaw with PGP, it didn't necessarily have the richness to
express what users actually need.  In today's better-known world.

But I would say that the flaw is in the presentation of the security
model.  The most important thing that a security system can do is to
align its security model to what the users need and assume, without
having to ask the users to make a decision.  K6.


> What's interesting is that in the real world message contents are 
> generally regarded as sufficient basis for non-repudation anyway;

s/non-repudiation/evidence/

Non-repudiation was an invention of cryptographers and does not exist
in the real world.

> if a message lacks a cryptographic signature courts and public
> opinion are quite happy to take other evidence into consideration.


Right.  Most documents aren't signed, and not expected to be signed.
They're still useful.

Again, we were screwed by the cryptography myth from the PKI world
that tried to sell their certs on the basis that they could be used to
sign a document.  And documents that weren't signed weren't worth
anything.  It didn't work, and we have to unroll that myth every time
we see it.


> OTR has had to work against that perception by creating concrete,
> usable, tools to forge chat transcripts. OTR ...


Nice protocol, the name is a disaster.  I gather there is a review in
the works for this protocol.  If they could get one thing right, it
would be to change the name and drop any reference to being
off-the-record.

I understand the mistake in logic was easy to make, but the logic
creates a clear trap of entrapment.  Compare and contrast your above
comments, and there is a clear dichotomy:  records kept of any chat
sessions are records presumed good before the court.

If you seek to deny the records on the basis that OTR is the tool to
forge these results, you've convicted yourself.  Just by using OTR,
you have given your accuser evidence that you intended to forge and lie.


> also uses quite different terminology that GnuPG does - in
> particular the way the encryption/authentication is presented to
> the user is to say the *chat* is being protected.


Another problem is that PGP was an email protection system, and it was
commonly thought that the email should be protected at rest as well as
in flight.  As opposed to a communications protection system, which
only protects in flight.

OTR and most chat systems (perhaps not Skype) clearly separated out
the in-flight component and the at-rest component, in ways that PGP
did not.

A further problem is the so-called security model.  Email protection
systems rarely protected you against traffic monitoring, the #1
surveillance target.  Skype on the other hand did, to a fairly good
extent, until they fell from grace.

The big picture, if one can see it is easy (to write):  systems that
were built on 1980s thinking aren't protectable under terms we think
of today.  Abandon email, build chat systems.

...
> For a durable, non-interactive, medium like email I suspect users
> are much less likely to correctly understand exactly what is being 
> guaranteed. The idea that you can have a conversation where any 
> participant in that conversation can impersonate another just
> doesn't map to real-world experience, especially one that isn't
> real-time. The GnuPG guarantees on the other hand map really well
> to real-world sealed envelope and signed letter analogies.


Mail has already been abandoned :)  These analogies are now past their
shelf life.  The young generation don't use email, and many probably
don't even know how to send a letter or seal an envelope.



iang