ietf-openpgp
[Top] [All Lists]

Re: Encrypt then sign insecure?

2005-08-15 02:43:58

Hal Finney wrote:
I have changed the subject line as this is in regard to Ben's citation
of Hugo Krawczyk's paper on the order of signing and encryption,
http://eprint.iacr.org/2001/045, also published in Crypto 01.

This paper doesn't apply to systems like OpenPGP which compose public
key signatures with public key encryption.  Rather, it investigates the
composition of symmetric encryption (e.g. AES) with MAC.

Krawczyk shows that it is not always safe to first MAC and then
symmetrically encrypt, even if your MAC is secure and your symmetric
encryption algorithm is secure.  He does this by coming up with rather
artificial types of MAC and encryption which are individually secure
but which interact in a bad way when when put together like this.

Krawczyk also shows some constructions that ARE always safe, including
doing CBC with a secure cipher, then MACing the ciphertext.

Again, this analysis is not applicable to the PK digital signatures and
hybrid public/private key encryption used in OpenPGP.

This does not seem to me to be true. OpenPGP uses symmetric encryption under the hood, and signs the plaintext rather than the ciphertext. All that is needed is an oracle which will say whether the signature is correct or not.

Furthermore, OpenPGP does not use CBC, so the security proof from the paper doesn't help.

I agree that the paper uses rather an artificial cipher (though the MAC can be any MAC) but it isn't clear to me what the limits of the attack are.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


<Prev in Thread] Current Thread [Next in Thread>