IETF Logo Mail Archive

Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless

"Hal Finney" <hal@finney.org> Thu, 18 April 2002 19:39 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20572 for <openpgp-archive@odin.ietf.org>; Thu, 18 Apr 2002 15:39:51 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3IJTnQ04494 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:29:49 -0700 (PDT)
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJTm704489 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:29:48 -0700 (PDT)
Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3IJKei01453; Thu, 18 Apr 2002 12:20:40 -0700
Date: Thu, 18 Apr 2002 12:20:40 -0700
From: Hal Finney <hal@finney.org>
Message-Id: <200204181920.g3IJKei01453@finney.org>
To: adam@cypherspace.org, hal@finney.org
Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
Cc: ietf-openpgp@imc.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Adam Back writes:
> What we proposed is related.  Rather
> than the normal encrypted signed message:
>
> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg)
>
> we proposed:
>
> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
>
> with the additional restriction that the encryption mode should be one
> of the MDC modes (ie appended MAC with K outside encryption, or
> appended hash of msg inside encryption).

I see, that seems to work well too.  Plus it hides the nature of the
internal signature because it looks like a regular, opaque encryption
message on the outside.

> To break that down: we hash Bob's public key so that Bob can't turn
> around and forge an arbitrary an arbitrary message from Alice to
> Charlie using signed K.  What Bob is left with is proof that Alice
> sent him a message, but no evidence of what the message body was.
>
> The approach generalises to multiple recipient's: either hash in all
> of the recipient public keys, or include signatures for each recipient
> -- the latter is probably preferable as then the recipient doesn't
> need all the other recipient's public keys to verify.

I don't think that works for multiple recipients, because any recipient
can recover K, alter the msg, and re-create an apparently valid message
that would be accepted by other recipients.  Alice's signature is only
on K and public keys so that part doesn't change when the msg does.


> Indeed.  One aspect of our proposal which may be good is that
> extracting a signature contained inside an encrypted message is
> already not directly supported.  So nothing _new_ has been added from
> the users perspective -- rather that feature has been
> cryptographically assured rather than just being an unimplemented
> implementation possibility.

Actually I think PGP 2.X did have the ability to strip off one layer
of PGP processing, so it could be used to turn a signed-and-encrypted
message into a signed one.  It would not be cleartext signed, it would use
literal packets, but it would be a legal signed message.  Perhaps GnuPG
has retained the ability to do this.

Hal

v2.23.0 | Report a Bug | By Email