signing & encrypting

Aurelio Turco
Fri May 17 14:11:02 2002

Ryan Malayter wrote:
> The best security comes from using sign/encrypt/sign. See:

Thanks for the reference. I found it a great help.

However, the author does not mention GnuPG.
I presume that this is because in GnuPG signing
and encrypting can be done in a single operation
with the corresponding reverse operation consisting
of a single decryption, thereby preventing a
substitution of the outer layer and the attacks
that that would give rise to, that he discusses.

But, even in GnuPG, if one chose to do the signing
and encrypting in two separate steps, then one
would be vulnerable to the kinds of attacks that
he talks about.

But I'm just a newbie, trying to find my way out
of the woods.

Hopefully, someone more experienced will confirm
or deny.