----- Original Message -----
From: "Derek Atkins" <derek(_at_)ihtfp(_dot_)com>
To: "vedaal" <vedaal(_at_)hotmail(_dot_)com>
Cc: <ietf-openpgp(_at_)imc(_dot_)org>
Sent: Tuesday, May 21, 2002 12:23 PM
Subject: Re: secure sign & encrypt
Also, could the MDC be utilized to prevent such substitutions, by
detecting
alterations of any of the packets?
No, because the MDC could be recreated as well. The MDC is tied to K
but has no signature associated with it to tie it to the actual
sender.
It seems that one thing that is definitely different in a message that is
sent as 'sign and encrypt',
and one that is re-encrypting a signed message, is the time in which it is
being done.
An authentic 'sign and encrypt' message, has the signature and encryption
done within seconds of each other.
If there could be a packet added linking the time of encryption to the time
of signing,
{including elapsed time in seconds [or 0.00x seconds], and therefore not
attackable by trying to re-set the re-encrypting
computer to the time recorded in the original signed message.}
and that packet tied to an MDC, it might serve as a means of detection of
re-encrypted signed messages.
It should be able to be done without affecting backward compatibility,
and those using earlier implementations, could accomplish the same thing (if
really necessary), by using
[encrypt, sign & encrypt].
--just a thought,
vedaal