[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure sign & encrypt

To: "vedaal" <vedaal@xxxxxxxxxxx>
Subject: Re: secure sign & encrypt
From: Derek Atkins <derek@xxxxxxxxx>
Date: 21 May 2002 10:33:31 -0400
Cc: <ietf-openpgp@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

sorry, vedaal, but you are incorrect.  With current OpenPGP is _IS_
possible to strip off the encryption from a message and re-encrypt it
to another user, keeping the signature intact.  In fact, back in the
early 90's (and mid-90's when we were first designing the pre-OpenPGP
packets), this was in fact a design goal!

Remember that a signed/encrypted message looks like:

        ESK{PubA, K} ... Enc{K, PreSig{Hash{M}}, Lit{M}, PostSig{Hash{M}}}

Given this format, you can easily replace the K in ESK{} and Enc{}
without destroying the Presig,Literal,PostSig packets.

Now, it may be that the current _implementations_ do not make it easy
for a user to do so, but that is an implementation detail, not a
protocol detail.  The protocol could allow you to do so.

-derek

"vedaal" <vedaal@xxxxxxxxxxx> writes:

> ----- Original Message -----
> From: "Terje Braaten" <Terje.Braaten@xxxxxxxxxx>
> To: <ietf-openpgp@xxxxxxx>
> Sent: Monday, May 20, 2002 7:31 PM
> Subject: RE: secure sign & encrypt
> 
> [...]
> 
>  > The problem is that most users when they decrypt a message
> > that is signed, they will think they can be sure the signer
> > and the encrypter is the same person/entity.
> > It would be a major improvement in the OpenPGP specification
> > to allow applications to ensure that that really is the case.
> 
> [...]
> 
> Functionally, that is the case now in Open PGP.
> 
> Even though a signed and encrypted message can be separated into a
> verifiable free standing signed message, and then
> re-encrypted and sent on to someone else,
> it 'cannot' {afaik} be re-combined into a signed and encrypted message that
> appears the same as a de-novo signed and encrypted message.
> 
> The most that can be done with the separation and re-encryption, is to have
> a message, that upon decryption, is clearsigned,
> or armored signed, and even the armored signed message is clearly of a
> different form than a de novo armored signed message;
> {a de novo armored signed message always has the message block begin with
> the letters 'ow', the separated armored signed
> message never does}.
> 
> Someone receiving a re-encrypted separated signed message, can instantly
> tell upon decryption, that it was an 'intentionally'
> re-encrypted message, and not an original.
> 
> The only time that this could be a problem, is for very new users, who may
> inadvertently get into a habit of clearsigning and then encrypting, instead
> of using the one-function 'sign and encrypt' , and as soon as it is pointed
> out to them that it is simpler and easier to use 'sign and encrypt' single
> function, they will probably do so.
> 
> hth,
> 
> vedaal
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@xxxxxxxxx             www.ihtfp.com

Follow-Ups:
- Re: secure sign & encrypt
  - From: vedaal

References:
- RE: secure sign & encrypt
  - From: Terje Braaten
- Re: secure sign & encrypt
  - From: vedaal

Prev by Date: RE: secure sign & encrypt
Next by Date: Re: secure sign & encrypt
Previous by thread: Re: secure sign & encrypt
Next by thread: Re: secure sign & encrypt
Index(es):
- Date
- Thread