signing & encrypting

David Shaw dshaw@jabberwocky.com
Thu May 16 14:37:01 2002


On Thu, May 16, 2002 at 12:01:18PM +0000, Aurelio Turco wrote:
> In the FAQ (http://www.gnupg.org/faq.html) it says:
> 
>   There is a small security glitch in the OpenPGP (and therefore GnuPG)
>   system; to avoid this you should always sign and encrypt a message
>   instead of only encrypting it.
> 
> Can someone provide a one or two sentence explanation as to what this
> glitch might be?

Maybe not in one or two sentences ;)

In an encrypted, but not signed message, it is theoretically possible
to modify the message by inserting more encrypted bytes into the
middle.  Sort of like transforming "Hi Fred, I hope you are well" into
"Hi Fred, you rotten bastard, I hope you are doing badly and soon fall
down a well".

Signing prevents this problem, as the signature would not be valid on
a modified message.  However, GnuPG also supports the MDC
(modification detection code) feature of OpenPGP which includes a
mini-signature inside the encrypted data which can also prevent this
without signing.

> If one is to both sign and encrypt a message, would I be correct in
> saying that one should encrypt before signing?

Other way around - when you encrypt and sign, you are doing
encrypt(sign(data)).

> Does the order in which --sign and --encrypt are specified on the gpg
> command line make a difference to the order in which the corresponding
> operations are done?

No.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson