ietf-openpgp
[Top] [All Lists]

Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless

2002-04-17 18:26:06

Only just saw this thread due to mailer config issue and Ian Brown
pointed it out to me.

The approach of signing encrypted key and using the key to MAC the
data is interesting.  It's very similar to what Ian and I proposed in:

Non-Transferable Signatures using PGP, Usenix Annual Technical
Conference, 98, Ian Brown and Adam Back

There's a short summary here:

        http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm

Unfortunately I think that adding a new flavor of signature would tend
to create confusion among users who at best barely understand public
key cryptography.  The new kind of signature would have very different
security properties and usage scenarios, so it would add additional
complexity for people to deal with.

I don't think that so bad.  I think a reasonable approach for example
would be to by default non-transferably sign when messages are
encrypted and transferably sign when they are not (which makes sense
as it's probably what you want anyway as you described in a later
message, and with this particular scheme you can't sign without
encrypting).

btw We originally were going to put the non-transferable signature
stuff in the Forward Secrecy Extensions for PGP ID, but opted instead
to separate concerns and keep the ID simple.

        http://www.cypherspace.org/openpgp/pfs/openpgp-pfs.txt

Adam

On Thu, Apr 11, 2002 at 08:45:39AM -0700, Hal Finney wrote:
I haven't read this RFC, but I had a long discussion with Wei Dai last
year about ways to do this within the OpenPGP framework.  We came up with
a couple of ideas.  These might be called "recipient-verifiable" signed
messages, to distinguish them from the regular PGP signed messages which
are "world-verifiable".  The general approach is to make the message such
that the recipient could "forge" fake messages from the sender that look
legitimate to third parties.  This prevents the real message from being
shown around in a convincing way.

Wei suggested that the recipient-verifiable message from Alice to Bob
could be as follows:

Sign_Alice( Encrypt_Bob( K ) ), MAC_K( Msg ), Msg.

The idea is that Alice chooses a MAC key K, encrypts it to Bob and then
signs the encrypted packet.  She sends this, along with the MAC'd message,
to Bob.  Bob can recover K from the encrypted packet, verifying the
signature by Alice on that packet, and then verify the MAC.