[Cryptography] Rescuing Encrypt-then-Sig
Natanael
natanael.l at gmail.com
Sat Aug 18 04:21:21 EDT 2018
Den lör 18 aug. 2018 09:23Ray Dillinger <bear at sonic.net> skrev:
>
>
> On 08/16/2018 05:27 PM, Phillip Hallam-Baker wrote:
> [...]
> > The paper recommends that data be signed and then encrypted. But I
> > dislike that order because it means that it is only possible to verify
> > the message after it has been decrypted. This violates a layering
> > principle in which data is only exposed to a device that contains a
> > private key AFTER we know it doesn't come from a malicious source.
>
> [...]
> Is there a fundamental problem that's a GOOD reason why everybody isn't
> using
>
> encrypt(privacy of message) /
> sign (authentication of encrypted message) /
> encrypt(privacy of encrypted signature and message)
>
> ?
>
> So when Bob sends a message to Alice, It allows Alice (and nobody else)
> to check the signature and decide, eg, that this is a message she does
> not want to decrypt on the present machine, at the present time, or in
> the present environment.
>
> This way, Alice can, eg, search on "verified sender or signer" without
> exposing the signature to Carol the mailman, nor exposing the plaintext
> to the system where the mail is stored.
There should be easier (or faster) ways. Why not HMAC both the plaintext
and the ciphertext and bundle those two tags with the ciphertext? No need
for multiple encryption, no new data leaks. Perhaps you can even sign the
tags if you want to involve public keys, and maybe only separately encrypt
the tags + signature if you want added privacy without encrypting the full
plaintext message twice (but how would you know which key to use to
decrypt, trial and error?).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180818/81b3a65e/attachment.html>
More information about the cryptography
mailing list