Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless

[moeller@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Bodo Moeller)]

Hal Finney <hal@xxxxxxxxxx>:
> Adam Back writes:

>> What we proposed is related.  Rather
>> than the normal encrypted signed message:
>>
>> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg)
>>
>> we proposed:
>>
>> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
>>
>> with the additional restriction that the encryption mode should be one
>> of the MDC modes (ie appended MAC with K outside encryption, or
>> appended hash of msg inside encryption).

>> To break that down: we hash Bob's public key so that Bob can't turn
>> around and forge an arbitrary an arbitrary message from Alice to
>> Charlie using signed K.  What Bob is left with is proof that Alice
>> sent him a message, but no evidence of what the message body was.

> I see, that seems to work well too.  [...]

Does it?  If Bob is willing to reveal  K  and additional data such as
padding used for RSA encryption, can't everyone verify that this is
indeed a valid signature by Alice on 'msg'?



-- 
Bodo Möller <moeller@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036