[Top] [All Lists]

RE: secure sign & encrypt

2002-05-23 13:36:46

Derek Atkins <warlord(_at_)MIT(_dot_)EDU> writes:

Terje Braaten <Terje(_dot_)Braaten(_at_)concept(_dot_)fr> writes:

Derek Atkins <warlord(_at_)MIT(_dot_)EDU> wrote:
I'm not sure exactly what you mean by when you say Alice 
saves a copy
of the session key... How does Alice get that key to 
Charlie?  Also
keep in mind that the interior and exterior encryptions SHOULD be
using different session keys.  So, I don't understand 
what you mean?

She could send it to Charlie in a different mail, or add it 
on the outside
of the signature (ES) packet before she encrypt and send it 
to Charlie.
And since she control the building of the message, another solution
would be that she could also use the same session key in 
the interior and
exterior encryptions no matter what the protocol says 
should be done.

But then Charlie KNOWS that Alice did the dastardly deed.  Moreover,
you'd need extremely special reader to be able to read such a message,
because it would not be 2440-compliant.

No, if Alice faked the e-mail headers, he could think it was Bob that
sent it to him, and also revealed to him the session key to the inner
encryption packet. It is exactly the same case as if Alice just had
used SE and signed a packet with the recipient keys in the inner message.
Charlie would KNOW that something was wrong, but not if Alice or Bob
was to blame.

Can you show the packets that Charlie sees?  I don't see any way
to add a new ESK on the interior message without invalidating the

Charlie sees after decrypting the first layer
 PreSig[Alice]{ESK [Bob] Enc { Literal { Message } } }PostSig[Alice]

Ok, can you show me the complete message Charlie receives (before he
decrypts the first layer)?  Note that if Charlie sees this message, it
is quite clear that the message was meant for Bob alone.

Yes, but was it Bob that leaked the information or Alice? See he cannot

In addition he has, or can make ESK[Charlie]. This 
information he can
claim he must have got from Bob, since he is the only 
original recipient.

How can Charlie insert an ESK[Charlie] and not invalidate the

He cannot insert it in the inner encryption packet without invalidating
the signature, but he can make use of it to read the encrypted message.

Terje Bråten


<Prev in Thread] Current Thread [Next in Thread>