Hal Finney wrote:
The approach generalises to multiple recipient's: either hash in all
of the recipient public keys, or include signatures for each recipient
-- the latter is probably preferable as then the recipient doesn't
need all the other recipient's public keys to verify.
I don't think that works for multiple recipients, because any recipient
can recover K, alter the msg, and re-create an apparently valid message
that would be accepted by other recipients. Alice's signature is only
on K and public keys so that part doesn't change when the msg does.
You're right. That doesn't work. See below...
On Wed, Apr 17, 2002 at 06:58:20PM -0700, Hal Finney wrote:
[...]
This concept can be applied pretty straightforwardly to the mathematical
key-combining technique, I think (I figured out how to do it once) but
I don't see how to use the simple hash/encrypt trick to accomplish this.
On the simple hash/encrypt approach, I think this should work:
Alice sending non-transferably signed message to Bob and Charlie:
Encrypt_Bob(K_B), Encrypt( K_B, Sign_Alice(K_B||Bob), H(msg) ),
Encrypt_Charlie(K_C), Encrypt( K_C, Sign_Alice(K_C||Charlie), H(msg) ),
msg
the message could optionally be encrypted using standard multiple
recipient technique (just include common key K):
Encrypt_Bob(K_B,K), Encrypt( K_B, Sign_Alice(K_B||Bob), H(msg) ),
Encrypt_Charlie(K_C,K), Encrypt( K_C, Sign_Alice(K_C||Charlie), H(msg) ),
Encrypt( K, msg )
The Encrypt() function should include MDC in both uses.
Bob can't transfer signatures as all he has is a signature that he
received a message from Alice and a random key. He could forge any
message to himself with that information.
Similarly Bob and Charlie collaborating also can not transfer
signatures from Alice as they can collaboratively forge any message to
themselves.
As long as K_B is kept secret Bob is sure Alice sent him the message,
but can't convince anyone else of this fact.
Bob can't forge a message from Alice to Charlie with the information
he sees as he doesn't see Sign_Alice(K_C||Charlie), and can't
transform Sign_Alice(K_B||Bob) into that, and he doesn't know KC so he
can't decrypt to find out, nor can he modify the encryption because of
the MDC also keyed via K_C.
Adam
--
http://www.cypherspace.org/adam/