[Top] [All Lists]

Re: secure sign & encrypt

2002-05-21 07:41:37

sorry, vedaal, but you are incorrect.  With current OpenPGP is _IS_
possible to strip off the encryption from a message and re-encrypt it
to another user, keeping the signature intact.  In fact, back in the
early 90's (and mid-90's when we were first designing the pre-OpenPGP
packets), this was in fact a design goal!

Remember that a signed/encrypted message looks like:

        ESK{PubA, K} ... Enc{K, PreSig{Hash{M}}, Lit{M}, PostSig{Hash{M}}}

Given this format, you can easily replace the K in ESK{} and Enc{}
without destroying the Presig,Literal,PostSig packets.

Now, it may be that the current _implementations_ do not make it easy
for a user to do so, but that is an implementation detail, not a
protocol detail.  The protocol could allow you to do so.


"vedaal" <vedaal(_at_)hotmail(_dot_)com> writes:

----- Original Message -----
From: "Terje Braaten" <Terje(_dot_)Braaten(_at_)concept(_dot_)fr>
To: <ietf-openpgp(_at_)imc(_dot_)org>
Sent: Monday, May 20, 2002 7:31 PM
Subject: RE: secure sign & encrypt


 > The problem is that most users when they decrypt a message
that is signed, they will think they can be sure the signer
and the encrypter is the same person/entity.
It would be a major improvement in the OpenPGP specification
to allow applications to ensure that that really is the case.


Functionally, that is the case now in Open PGP.

Even though a signed and encrypted message can be separated into a
verifiable free standing signed message, and then
re-encrypted and sent on to someone else,
it 'cannot' {afaik} be re-combined into a signed and encrypted message that
appears the same as a de-novo signed and encrypted message.

The most that can be done with the separation and re-encryption, is to have
a message, that upon decryption, is clearsigned,
or armored signed, and even the armored signed message is clearly of a
different form than a de novo armored signed message;
{a de novo armored signed message always has the message block begin with
the letters 'ow', the separated armored signed
message never does}.

Someone receiving a re-encrypted separated signed message, can instantly
tell upon decryption, that it was an 'intentionally'
re-encrypted message, and not an original.

The only time that this could be a problem, is for very new users, who may
inadvertently get into a habit of clearsigning and then encrypting, instead
of using the one-function 'sign and encrypt' , and as soon as it is pointed
out to them that it is simpler and easier to use 'sign and encrypt' single
function, they will probably do so.



       Derek Atkins
       Computer and Internet Security Consultant