[Cryptography] Rescuing Encrypt-then-Sig

Phillip Hallam-Baker phill at hallambaker.com
Thu Aug 23 16:26:44 EDT 2018


OK, here is how I 'solved' the problem:

To encrypt, I establish a master secret using the key agreement
information. I then derive encryption parameters (key, IV, MAC key) from
that master key using a KDF and a unique 128+ bit nonce(salt). Key = KDF
(salt, "encrypt") and so on

I encrypt the plaintext, calculate the digest of the ciphertext and sign.

To provide proof of knowledge of the plaintext, I provide a separate
witness value Witness = KDF (salt, Signature) and provide that as an opaque
value together with the signature. This has some very interesting
properties.

One of the most important for me is that I only require the signature to be
authorized by a party with actual knowledge of the key exchange parameters.
It is not necessary for the signer to have the plaintext, just the digest.
This is much easier to support when the signer is a remote device.

While this does not eliminate all the possibilities of protocol confusion
arising from what the signer intended, I don't think the signing order is
sufficient to address those either. Those are questions of cryptographic
application design and it is naive to think that a single approach can
address every concern in every case. It is not Alice who encrypts the
message it is a collection of computer systems nominally under her control
that sign the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180823/8b28a099/attachment.html>


More information about the cryptography mailing list