[Top] [All Lists]

RE: secure sign & encrypt

2002-05-23 02:02:53

Derek Atkins <warlord(_at_)MIT(_dot_)EDU> writes:

You seem to be under the misconception that "sigh & enrypt" is an
atomic PGP operation.  It is not.  There is "OpenPGP Sign" and there
is "OpenPGP Encrypt", and these two functions _can_ be combined, but
the combination is NOT a single atomic function.  It never was.

Well, I intended it to become an atomic function. Many users perceive it
today to be an atomic function, and I think it would be really nice
and a big improvement of the software if it really became a secure
atomic function.

All PGP ever had was "first sign and then encrypt".  It was just
user-interface "syntactic sugar" that allows the user to perform both
tasks together.  However, there is no way for a receiver to tell the
difference between a one-pass and two-pass "sign and then encrypt".

That is what I see as a major weakness with PGP today. There should be
a difference, and the user should be able to be sure that the signer
and encrypter is the same person if atomic sign & encrypt is used.
It is both very user friendly to make it that way, and it will make
it more secure since it is a already a wide misconception that you
can tell the difference with the current implementation.

But the point is not to make some human readable boilerplate. The
point is that OpenPGP software automatically should be able 
to detect
if the message has been faked to look like it is created by
sign & encrypt when it really is not.

What do you mean?  Can you please explain what attack you believe
you are preventing?

Alice makes a love poem, signs & encrypts it and sends it to Bob.
Some months later they have broken up with each other. Bob decides
to be mean to Alice, and encrypts the signed love poem and sends it
to Charlie, faking the From header in the mail so it look likes it is
from Alice. Then Charlie has a message that is encrypted to him and signed
by Alice. It seems to Charlie like it is created by sign & encrypt in
PGP, so he is convinced this must be a message from Alice that she
has encrypted specially for him.

What I would like is any PGP implementation to be able to display a message
like "Good signature from nn. Warning, this message is not made with atomic
sign & encrypt, and may be encrypted by some one else."

Terje Bråten

<Prev in Thread] Current Thread [Next in Thread>