[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypt then sign insecure?

To: ben@xxxxxxxxxxxxx, hal@xxxxxxxxxx
Subject: Re: Encrypt then sign insecure?
From: hal@xxxxxxxxxx ("Hal Finney")
Date: Mon, 15 Aug 2005 20:47:24 -0700 (PDT)
Cc: ietf-openpgp@xxxxxxx
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

Ben Laurie wrote:
> Hal Finney wrote:
> > This paper doesn't apply to systems like OpenPGP which compose public
> > key signatures with public key encryption.  Rather, it investigates the
> > composition of symmetric encryption (e.g. AES) with MAC.
> ...
> This does not seem to me to be true. OpenPGP uses symmetric encryption 
> under the hood, and signs the plaintext rather than the ciphertext. All 
> that is needed is an oracle which will say whether the signature is 
> correct or not.

Krawczyk's paper is about combining MAC and symmetric encryption.
That's not what OpenPGP does.  We don't do MACs.

> Furthermore, OpenPGP does not use CBC, so the security proof from the 
> paper doesn't help.

That's true, but the point is that the paper is not about systems like
OpenPGP at all.

Hal Finney

Follow-Ups:
- Re: Encrypt then sign insecure?
  - From: Ben Laurie

Prev by Date: Re: Calculating signature over private key
Next by Date: Re: "The OpenPGP mail and news header" extenssion
Previous by thread: Re: Encrypt then sign insecure?
Next by thread: Re: Encrypt then sign insecure?
Index(es):
- Date
- Thread