Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless

Adam Back <adam@cypherspace.org> Thu, 18 April 2002 01:35 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA12744 for <openpgp-archive@lists.ietf.org>; Wed, 17 Apr 2002 21:35:27 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3I1Q6w12471 for ietf-openpgp-bks; Wed, 17 Apr 2002 18:26:06 -0700 (PDT)
Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I1Q5m12466 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 18:26:06 -0700 (PDT)
Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 16y0iL-00B2R2-00; Thu, 18 Apr 2002 02:27:57 +0100
Date: Thu, 18 Apr 2002 02:27:56 +0100
From: Adam Back <adam@cypherspace.org>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
Message-ID: <20020418022756.A1878773@exeter.ac.uk>
References: <200204111545.g3BFjdw11622@finney.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <200204111545.g3BFjdw11622@finney.org>; from hal@finney.org on Thu, Apr 11, 2002 at 08:45:39AM -0700
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Only just saw this thread due to mailer config issue and Ian Brown
pointed it out to me.

The approach of signing encrypted key and using the key to MAC the
data is interesting.  It's very similar to what Ian and I proposed in:

Non-Transferable Signatures using PGP, Usenix Annual Technical
Conference, 98, Ian Brown and Adam Back

There's a short summary here:

	http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm

> Unfortunately I think that adding a new flavor of signature would tend
> to create confusion among users who at best barely understand public
> key cryptography.  The new kind of signature would have very different
> security properties and usage scenarios, so it would add additional
> complexity for people to deal with.

I don't think that so bad.  I think a reasonable approach for example
would be to by default non-transferably sign when messages are
encrypted and transferably sign when they are not (which makes sense
as it's probably what you want anyway as you described in a later
message, and with this particular scheme you can't sign without
encrypting).

btw We originally were going to put the non-transferable signature
stuff in the Forward Secrecy Extensions for PGP ID, but opted instead
to separate concerns and keep the ID simple.

	http://www.cypherspace.org/openpgp/pfs/openpgp-pfs.txt

Adam

On Thu, Apr 11, 2002 at 08:45:39AM -0700, Hal Finney wrote:
> I haven't read this RFC, but I had a long discussion with Wei Dai last
> year about ways to do this within the OpenPGP framework.  We came up with
> a couple of ideas.  These might be called "recipient-verifiable" signed
> messages, to distinguish them from the regular PGP signed messages which
> are "world-verifiable".  The general approach is to make the message such
> that the recipient could "forge" fake messages from the sender that look
> legitimate to third parties.  This prevents the real message from being
> shown around in a convincing way.
> 
> Wei suggested that the recipient-verifiable message from Alice to Bob
> could be as follows:
> 
> Sign_Alice( Encrypt_Bob( K ) ), MAC_K( Msg ), Msg.
> 
> The idea is that Alice chooses a MAC key K, encrypts it to Bob and then
> signs the encrypted packet.  She sends this, along with the MAC'd message,
> to Bob.  Bob can recover K from the encrypted packet, verifying the
> signature by Alice on that packet, and then verify the MAC.