David P. Kemp <dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil> wrote:

Your proposal for an extra packet does not address this alleged flaw.
Note that Alice could sign a message saying "encrypted to
Bob", and then
encrypt and send the message to Charlie, thus framing Bob for breach
of confidence.

Now that I have had time to think about it, the same could be done if
we used ESE. Alice can encrypt the packet to Bob and save a copy of
the symmetric key used to encrypt the message before encrypting it with
Bobs public key. Then she sign the encrypted packet, include some extra
packet with the session key she saved and encrypt it for Charlie.
Then Charlie receives an ESE packet where he can decrypt the inner
encryption
with the symmtreic key provided. And looking at the signature it looks like
it is originally encrypted for Bob, so it "must" be Bob that has leaked
the information and also given him the symmetric key.
So, in that respect my solution is no inferior to ESE regarding security.
And you avoid the cost of one extra encryption.
--
Terje Bråten