Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) Sun, 26 May 2002 15:52 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25006 for <openpgp-archive@odin.ietf.org>; Sun, 26 May 2002 11:52:05 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g4QFZ7Y05970 for ietf-openpgp-bks; Sun, 26 May 2002 08:35:07 -0700 (PDT)
Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4QFZ5J05966 for <ietf-openpgp@imc.org>; Sun, 26 May 2002 08:35:05 -0700 (PDT)
Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id EACCA2C93; Sun, 26 May 2002 17:35:04 +0200 (MET DST)
Received: id <m17Bzwn-000QdtC@epsilon>; Sun, 26 May 2002 17:28:41 +0200 (CEST)
Message-Id: <m17Bzwn-000QdtC@epsilon>
Date: Sun, 26 May 2002 17:28:41 +0200
To: ietf-openpgp@imc.org, Hal Finney <hal@finney.org>, adam@cypherspace.org
From: moeller@cdc.informatik.tu-darmstadt.de
Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
In-Reply-To: <200204181920.g3IJKei01453@finney.org>
References: <200204181920.g3IJKei01453@finney.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 8bit
Hal Finney <hal@finney.org>: > Adam Back writes: >> What we proposed is related. Rather >> than the normal encrypted signed message: >> >> Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg) >> >> we proposed: >> >> Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg) >> >> with the additional restriction that the encryption mode should be one >> of the MDC modes (ie appended MAC with K outside encryption, or >> appended hash of msg inside encryption). >> To break that down: we hash Bob's public key so that Bob can't turn >> around and forge an arbitrary an arbitrary message from Alice to >> Charlie using signed K. What Bob is left with is proof that Alice >> sent him a message, but no evidence of what the message body was. > I see, that seems to work well too. [...] Does it? If Bob is willing to reveal K and additional data such as padding used for RSA encryption, can't everyone verify that this is indeed a valid signature by Alice on 'msg'? -- Bodo Möller <moeller@cdc.informatik.tu-darmstadt.de> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036
- Recipient-verifiable messages, was: forwarding an… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… vedaal
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Werner Koch
- non-transferable sigs with hashes and encryption … Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller