ietf-openpgp
[Top] [All Lists]

Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless

2002-04-18 12:29:49

Adam Back writes:
What we proposed is related.  Rather
than the normal encrypted signed message:

      Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg)

we proposed:

      Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)

with the additional restriction that the encryption mode should be one
of the MDC modes (ie appended MAC with K outside encryption, or
appended hash of msg inside encryption).

I see, that seems to work well too.  Plus it hides the nature of the
internal signature because it looks like a regular, opaque encryption
message on the outside.

To break that down: we hash Bob's public key so that Bob can't turn
around and forge an arbitrary an arbitrary message from Alice to
Charlie using signed K.  What Bob is left with is proof that Alice
sent him a message, but no evidence of what the message body was.

The approach generalises to multiple recipient's: either hash in all
of the recipient public keys, or include signatures for each recipient
-- the latter is probably preferable as then the recipient doesn't
need all the other recipient's public keys to verify.

I don't think that works for multiple recipients, because any recipient
can recover K, alter the msg, and re-create an apparently valid message
that would be accepted by other recipients.  Alice's signature is only
on K and public keys so that part doesn't change when the msg does.


Indeed.  One aspect of our proposal which may be good is that
extracting a signature contained inside an encrypted message is
already not directly supported.  So nothing _new_ has been added from
the users perspective -- rather that feature has been
cryptographically assured rather than just being an unimplemented
implementation possibility.

Actually I think PGP 2.X did have the ability to strip off one layer
of PGP processing, so it could be used to turn a signed-and-encrypted
message into a signed one.  It would not be cleartext signed, it would use
literal packets, but it would be a legal signed message.  Perhaps GnuPG
has retained the ability to do this.

Hal