I'm not sure exactly what you mean by when you say Alice saves a copy
of the session key... How does Alice get that key to Charlie? Also
keep in mind that the interior and exterior encryptions SHOULD be
using different session keys. So, I don't understand what you mean?
Can you show the packets that Charlie sees? I don't see any way
to add a new ESK on the interior message without invalidating the
signature....
-derek
Terje Braaten <Terje(_dot_)Braaten(_at_)concept(_dot_)fr> writes:

David P. Kemp <dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil> wrote:

Your proposal for an extra packet does not address this alleged flaw.
Note that Alice could sign a message saying "encrypted to
Bob", and then
encrypt and send the message to Charlie, thus framing Bob for breach
of confidence.

Now that I have had time to think about it, the same could be done if
we used ESE. Alice can encrypt the packet to Bob and save a copy of
the symmetric key used to encrypt the message before encrypting it with
Bobs public key. Then she sign the encrypted packet, include some extra
packet with the session key she saved and encrypt it for Charlie.
Then Charlie receives an ESE packet where he can decrypt the inner
encryption
with the symmtreic key provided. And looking at the signature it looks like
it is originally encrypted for Bob, so it "must" be Bob that has leaked
the information and also given him the symmetric key.
So, in that respect my solution is no inferior to ESE regarding security.
And you avoid the cost of one extra encryption.
--
Terje Bråten

--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available