[Cryptography] Rescuing Encrypt-then-Sig

[Jerry Leichter]

>> ....This violates a layering
>> principle in which data is only exposed to a device that contains a
>> private key AFTER we know it doesn't come from a malicious source.
> It seems to me that the incessant sign/encrypt vs encrypt/sign debate
> happens because there are a couple of different purposes being served
> here, and that the correct answer might be to use cryptographic
> operations to explicitly perform both of them.
> 
> Is there a fundamental problem that's a GOOD reason why everybody isn't
> using
> 
> encrypt(privacy of message) /
> sign (authentication of encrypted message) /
> encrypt(privacy of encrypted signature and message)
This has exactly the problem the original poster set out to solve:  You have to decrypt a message whose provenance you can't be sure of.

It's certainly true that *if the message was actually produced using E/S/E*, then the contents of the inner message are essentially random.  But that's hardly something an attacker who is going after a vulnerability in the decryption engine (like the recently described, though very old, problems in PGP) has to do....
                                                        -- Jerry