Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
"Hal Finney" <hal@finney.org> Thu, 18 April 2002 19:39 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20572 for <openpgp-archive@odin.ietf.org>; Thu, 18 Apr 2002 15:39:51 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3IJTnQ04494 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:29:49 -0700 (PDT)
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJTm704489 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:29:48 -0700 (PDT)
Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3IJKei01453; Thu, 18 Apr 2002 12:20:40 -0700
Date: Thu, 18 Apr 2002 12:20:40 -0700
From: Hal Finney <hal@finney.org>
Message-Id: <200204181920.g3IJKei01453@finney.org>
To: adam@cypherspace.org, hal@finney.org
Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
Cc: ietf-openpgp@imc.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Adam Back writes: > What we proposed is related. Rather > than the normal encrypted signed message: > > Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg) > > we proposed: > > Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg) > > with the additional restriction that the encryption mode should be one > of the MDC modes (ie appended MAC with K outside encryption, or > appended hash of msg inside encryption). I see, that seems to work well too. Plus it hides the nature of the internal signature because it looks like a regular, opaque encryption message on the outside. > To break that down: we hash Bob's public key so that Bob can't turn > around and forge an arbitrary an arbitrary message from Alice to > Charlie using signed K. What Bob is left with is proof that Alice > sent him a message, but no evidence of what the message body was. > > The approach generalises to multiple recipient's: either hash in all > of the recipient public keys, or include signatures for each recipient > -- the latter is probably preferable as then the recipient doesn't > need all the other recipient's public keys to verify. I don't think that works for multiple recipients, because any recipient can recover K, alter the msg, and re-create an apparently valid message that would be accepted by other recipients. Alice's signature is only on K and public keys so that part doesn't change when the msg does. > Indeed. One aspect of our proposal which may be good is that > extracting a signature contained inside an encrypted message is > already not directly supported. So nothing _new_ has been added from > the users perspective -- rather that feature has been > cryptographically assured rather than just being an unimplemented > implementation possibility. Actually I think PGP 2.X did have the ability to strip off one layer of PGP processing, so it could be used to turn a signed-and-encrypted message into a signed one. It would not be cleartext signed, it would use literal packets, but it would be a legal signed message. Perhaps GnuPG has retained the ability to do this. Hal
- Recipient-verifiable messages, was: forwarding an… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… vedaal
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Werner Koch
- non-transferable sigs with hashes and encryption … Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller