[Cryptography] Rescuing Encrypt-then-Sign

Phillip Hallam-Baker phill at hallambaker.com
Thu Aug 16 20:27:11 EDT 2018


This paper shows many of the arguments surrounding the order of signature
and encryption
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html

The paper recommends that data be signed and then encrypted. But I dislike
that order because it means that it is only possible to verify the message
after it has been decrypted. This violates a layering principle in which
data is only exposed to a device that contains a private key AFTER we know
it doesn't come from a malicious source.

So here is the alternative approach. I generate my message encryption keys
from a master secret established by the key exchange by means of a key
derivation function (HKDF) and a unique per-message salt. (I also generate
the IV for encryption and the MAC key if required).

Each set of keying material is extracted with a different and unique info
tag 'encrypt', 'mac', 'iv' and so on.

I would like to include an additional witness value that is derived from
the master secret using the KDF using another unique info tag 'sign'.

This does not quite guarantee that the signer knows the plaintext or even
the master key but does prove that whoever had the master key authorized
them to sign. That might be an interesting property.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180816/71ec8fa3/attachment.html>


More information about the cryptography mailing list