[Cryptography] Rescuing Encrypt-then-Sig
Ray Dillinger
bear at sonic.net
Fri Aug 17 16:53:50 EDT 2018
On 08/16/2018 05:27 PM, Phillip Hallam-Baker wrote:
> This paper shows many of the arguments surrounding the order of
> signature and encryption
> http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
> <http://world.std.com/%7Edtd/sign_encrypt/sign_encrypt7.html>
>
> The paper recommends that data be signed and then encrypted. But I
> dislike that order because it means that it is only possible to verify
> the message after it has been decrypted. This violates a layering
> principle in which data is only exposed to a device that contains a
> private key AFTER we know it doesn't come from a malicious source.
It seems to me that the incessant sign/encrypt vs encrypt/sign debate
happens because there are a couple of different purposes being served
here, and that the correct answer might be to use cryptographic
operations to explicitly perform both of them.
Is there a fundamental problem that's a GOOD reason why everybody isn't
using
encrypt(privacy of message) /
sign (authentication of encrypted message) /
encrypt(privacy of encrypted signature and message)
?
So when Bob sends a message to Alice, It allows Alice (and nobody else)
to check the signature and decide, eg, that this is a message she does
not want to decrypt on the present machine, at the present time, or in
the present environment.
This way, Alice can, eg, search on "verified sender or signer" without
exposing the signature to Carol the mailman, nor exposing the plaintext
to the system where the mail is stored.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180817/097afc74/attachment.sig>
More information about the cryptography
mailing list