On Sun, 2005-08-14 at 16:30 +0100, Ben Laurie wrote: > Jeroen Massar wrote: > > On Sun, 2005-08-14 at 14:24 +0100, Ben Laurie wrote: > > > >>Jeroen Massar wrote: > > > > <SNIP> > > > >>>* sign(encrypt(message)) > > > > <SNIP> > > > >>More importantly, perhaps, Krawczyk has shown that, in general, sign > >>then encrypt is insecure. > > > > > > Which exact paper do you mean? > > http://eprint.iacr.org/2001/045 Which nicely says, already in the abstract btw, "Thus, while we show the generic security of SSL to be broken, the current standard implementations of the protocol that use the above modes of encryption are safe." Also, to really take care of your worries, one could do: encrypt(sign(encrypt(message)) which gives the same properties I specified before, although with some overhead. It will actually give an additional property that only the receiver is known and nobody else can figure out who send the message. Greets, Jeroen
Attachment:
signature.asc
Description: This is a digitally signed message part