Hal Finney wrote:
Ben Laurie wrote:
Hal Finney wrote:
This paper doesn't apply to systems like OpenPGP which compose public
key signatures with public key encryption. Rather, it investigates the
composition of symmetric encryption (e.g. AES) with MAC.
...
This does not seem to me to be true. OpenPGP uses symmetric encryption
under the hood, and signs the plaintext rather than the ciphertext. All
that is needed is an oracle which will say whether the signature is
correct or not.
Krawczyk's paper is about combining MAC and symmetric encryption.
That's not what OpenPGP does. We don't do MACs.
Actually, the only point of the MAC is to tell whether decryption
succeeded. Signatures do the same job.
Furthermore, OpenPGP does not use CBC, so the security proof from the
paper doesn't help.
That's true, but the point is that the paper is not about systems like
OpenPGP at all.
Yes it is. The required properties are: a) encryption and b) the
possibility to detect errors in the plaintext.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff