Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
"Hal Finney" <hal@finney.org> Thu, 11 April 2002 16:09 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04628 for <openpgp-archive@lists.ietf.org>; Thu, 11 Apr 2002 12:09:59 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3BFsm205586 for ietf-openpgp-bks; Thu, 11 Apr 2002 08:54:48 -0700 (PDT)
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BFslm05579 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 08:54:47 -0700 (PDT)
Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3BFjdw11622 for ietf-openpgp@imc.org; Thu, 11 Apr 2002 08:45:39 -0700
Date: Thu, 11 Apr 2002 08:45:39 -0700
From: Hal Finney <hal@finney.org>
Message-Id: <200204111545.g3BFjdw11622@finney.org>
To: ietf-openpgp@imc.org
Subject: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
[Redirected to just OpenPGP list. I guess this was a Mozilla bug discussion that someone copied here?] Sam Roberts <sroberts@uniserve.com> writes: > S/MIME only uses the signed and enveloped types from CMS, but RFC2630 > specifies authenticated as well. Its not well described there, but it is a > way of "signing" something using a key agreement algorithm, such that the > signature can ONLY be verified by using the sender or the receiver's > private key. I haven't read this RFC, but I had a long discussion with Wei Dai last year about ways to do this within the OpenPGP framework. We came up with a couple of ideas. These might be called "recipient-verifiable" signed messages, to distinguish them from the regular PGP signed messages which are "world-verifiable". The general approach is to make the message such that the recipient could "forge" fake messages from the sender that look legitimate to third parties. This prevents the real message from being shown around in a convincing way. Wei suggested that the recipient-verifiable message from Alice to Bob could be as follows: Sign_Alice( Encrypt_Bob( K ) ), MAC_K( Msg ), Msg. The idea is that Alice chooses a MAC key K, encrypts it to Bob and then signs the encrypted packet. She sends this, along with the MAC'd message, to Bob. Bob can recover K from the encrypted packet, verifying the signature by Alice on that packet, and then verify the MAC. But if Bob shows this to someone else, although he may be able to convince them that K was signed by Alice, he can't show that Msg is what she sent. Given K, Bob could have MAC'd any message with that K and replaced Msg with that. So there is no evidence that Msg is what Alice actually signed, hence she is not bound by it. A subtlety is that if you did Encrypt_Bob( Sign_Alice( K ) ) instead, this would let Bob remove his encryption envelope and then re-encrypt for someone else, making them think that Alice had directed the message to them and letting them verify the signature. So the reverse ordering is important. I proposed a different method, which basic idea is expressed in a paper by Rivest, Shamir and Tauman, "How to Leak a Secret", available from http://theory.lcs.mit.edu:80/~rivest/publications.html. This paper shows how to produce a signature which can be verified to be from a specific list of keys, but you can't tell which key on the list made the signature. It is very simple and efficient for RSA keys. I think extensions are possible for discrete log keys, but the paper doesn't cover that. For the recipient-verifiable signature, Alice would create one of these multiple-signer signatures based on exactly two keys, Bob's and hers. Anyone can verify that the resulting message has been signed by Alice or Bob, but there is no way to tell which. Alice then sends the message to Bob. He knows that he didn't sign it, so it must have been Alice. But if he shows it to someone else, all they can see is that either Bob or Alice signed it, so Bob could have created a signature like this for any message he wanted. Again there is no way for Bob to show the message convincingly to a third party, and Alice is protected. David Chaum has a patent on a variation on this idea, and he gave a talk at PGP several years ago in which he advocated that recipient-verifiable signatures are very useful, and in fact ought to be the default for an email encryption system like PGP. As others in this thread have commented, often you don't want to sign something such that you can be bound by it later, but you do want to assure the recipient that the message is authentic. Only rarely do you want to make a signature that anyone can read. Unfortunately I think that adding a new flavor of signature would tend to create confusion among users who at best barely understand public key cryptography. The new kind of signature would have very different security properties and usage scenarios, so it would add additional complexity for people to deal with. Hal
- Recipient-verifiable messages, was: forwarding an… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… vedaal
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages, was: forwardin… john.dlugosz
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages Jon Callas
- Re: Recipient-verifiable messages David P. Kemp
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Hal Finney
- Re: Recipient-verifiable messages, was: forwardin… Werner Koch
- non-transferable sigs with hashes and encryption … Adam Back
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller
- Re: Recipient-verifiable messages, was: forwardin… Bodo Moeller