signing & encrypting

Leigh S. Jones, KR6X kr6x@kr6x.com
Fri May 17 19:49:01 2002 

Ryan Malayter wrote:

S(E(m)) has a vulnerability in that you know who signed a message,
but you don't know who originally wrote or encrypted the message.

E(S(m)) has the vulnerability that you know who originally wrote and
signed the message, but you don't know who actually encrypted it and
sent it to you.

This may be true from the point of view of the software.  In the real
world we usually have reason to trust our signers.  If our contact
performs an E(S(m)), then we have a signed message when 
decrypted.  It may not be important to know who encrypted and 
sent the message because we trust the signature.

If we S(E(m)) then we should be able to trust our signer to know
what he has signed.  Would you sign an encrypted message
unseen?

If we S(E(S(m))) then the identity of the sender has been
compromised.  In the case of credit card transactions for instance
this might possibly not be an issue, but since the early days of
my use of PGP and gpg I've learned that even honest, law
abiding people can have much reason to use caution about
revealing certain things.  For instance, if the recipient of the
message is a holiday resort, then the information contained 
inside might be a request for reservations.  A burglar with the
ability to monitor messages at some internet node could use
this information to profile his next victim.  He wouldn't need
to decrypt the message, only be aware that sensitive 
communications is taking place between Rich Guy and
Phoenix Phat Pharm.  Now he knows to watch for Rich Guy's
home looking like he's away for a few days.

In the real world it's much more likely that we will either receive
S(m) clearsigned messages that have no secret content, or we
will receive E(m) or E(S(m)) messages where the sender doesn't
wish to make his identity known to anyone besides the owner of 
the secret key.  E-mail return addresses make this more difficult 
to accomplish, but there are ways to get around this.

----- Original Message ----- 
From: "Ryan Malayter" <rmalayter@bai.org>
To: <gnupg-users@gnupg.org>
Sent: Friday, May 17, 2002 08:18
Subject: RE: signing & encrypting


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: Anthony E. Greene [mailto:agreene@pobox.com] 
>But if the message data is signed, any tampering (even 
>if you're lucky enough to have it decrypt to something 
>that makes sense) will make the signature fail validation.

Tampering isn't the point. Check out that reference I posted earlier.
Basically, it summarizes as:

S(E(m)) has a vulnerability in that you know who signed a message,
but you don't know who originally wrote or encrypted the message.

E(S(m)) has the vulnerability that you know who originally wrote and
signed the message, but you don't know who actually encrypted it and
sent it to you.

S(E(S(m))) prevents both of these vulnerabilites, provided that the
inner and outer signatures are both valid and made from the same
private key. Most OpenPGP programs, while capable of S(E(S(m))),
don't do it in one step, on the encryption or decryption end.

-ryan-



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32) - WinPT 0.5.7
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzlHpEACgkQ9wZiZHyXot4DpACfZSvsBQ2OqR8UKb8NZ2J86AyU
dJYAnRkNKxgVrMyU6hqsbR0IgvgRpeGR
=YTq5
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users