ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: separation of signed and encrypted pgp mesages into signed pgp messages

2001-07-02 13:37:32
from [Michael Young] [Permanent Link] 

-----BEGIN PGP SIGNED MESSAGE-----


There was a recent paper,

<http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html>

describing a flaw in the sign and encrypt function of Open PGP.


Despite the gratuitously over-hyped title, the paper does make it
clear that the "flaw" is one of understanding.  In particular, it is
necessary to understand *what* is being signed, and for many systems,
it is *only* the message body.  Unsigned material, including headers
(sender, receiver, and what-not), can be changed.  If you want clear
identities (or other context) in the signed text, you need to put
them there.

Yes, some products gloss over the details.  PGP, for instance,
labels the function "Encrypt&Sign" when it really works in the
other order.


the author assumes that is is possible for the recipient
to strip off the encryption from a signed and encrypted pgp message, 
leaving only a verified signed message,
and that the ability to do this is ensured in the Open PGP Standard


Yes.  This *can* be a desirable feature.  If you don't like it, you
can: (a) include enough context in the signed material; and/or, (b)
manually encrypt, then sign (but as the paper points out, doing so
without context offers only marginally different protection).  I'd be
more than happy for end-user agents to offer to do one or both.  I
would not be happy with the specification mandating particular agent
behavior -- it does not appear to mandate sign-then-encrypt now.


{afaik} this can be done in pgp only when both the receiver and sender are
using RSA keys, 


No.  The specification does not tie packet composition to the type
of key used.  [But in practice: newer PGP versions that support DSA/DH
keys also support one-pass signatures, so they may have extra packets,
but this has no bearing on the "problem" at hand.]

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBO0DbImNDnIII+QUHAQExNAf+PhMkaRRRQDpATekpf+SH6KMXjxb6dck5
BHBX2U8g3MN0FrsCCI5VSDlL7vPELLgEx+aY2b0PjstiieuQpWUj87kJ3v3lKrhr
w5g/GCw/dAGN7hCO/uXKkQNR/OcqZnDcaTP+z3n3mlUpkFJV1EvrSEPWRvYwLCmr
zYsc/oMFsj00a5m2Y3xkyB9Zr/qsBxLaPO6OwvtJ8SNnetjIVW29KsccDs26I3ch
zFkppBpVqwk6V7cIb7UIYpc1SZkxHFhmzjr9gbN8Jx8BuHG4I92SDhCy9iqX4ybk
/2vou8pGWRz2DdVrWidaASg0qbdVVuMH+TsDWp1pWT09peSeMBRB2g==
=w8B7
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: separation of signed and encrypted pgp mesages into signed pgp messages, Jon Callas
Next by Date:  [urgent] PGP/MIME IANA considerations: file extensions, Macintosh file type codes., Thomas Roessler
Previous by Thread:  Re: separation of signed and encrypted pgp mesages into signed pgp messages, Jon Callas
Next by Thread:  [urgent] PGP/MIME IANA considerations: file extensions, Macintosh file type codes., Thomas Roessler
Indexes:  [Date] [Thread] [Top] [All Lists]