Florian Weimer wrote:
With sign, then encrypt, it's also possible that the receiver decrypts
the message, and then leaks it, potentially giving the impression that
the signer authorized the disclosure.  There has been a fair bit of
buzz about this confusion.  But the lesson from that seems to be that
signature semantics are very hard to agree upon, and most marginally
successful standards sidestep the issue anyway, acting as a mere
transport protocol.

re:
http://www.garlic.com/~lynn/aadsm26.htm#62 Public key encrypt-then-sign or 
sign-then-encrypt?
http://www.garlic.com/~lynn/aadsm26.htm#63 Public key encrypt-then-sign or 
sign-then-encrypt?

there is the issue for some kinds of operations of having integral 
authentication
and integrity .... or integral authentication and privacy ... or integral privacy and integrity.

so there is the whole issue of semantic confusion with the term digital
signature .... because it contains the word "signature" ... leading to
confusion that it might somehow be related to human signature ... aka
things like intent and a human having read, understood, approves, agrees,
and/or authorizes.

on the other hand ... digital signatures can get into various kinds of
dual-use attacks ... when the same private key is being used in a purely
authentication protocol (server sends random data to be digitally
signed ... as countermeasure to replay attack) ... and also in a
authentication+integrity protocol ... where the contents being digitally
signed is presumed to carry some sort of meaning (and that a digital
just happens to be performed ... carries some additional implication
other than authentication+integrity).

there is this slightly x-over thread from sci.crypt
http://www.garlic.com/~lynn/2007i.html#63 public key password authentication
http://www.garlic.com/~lynn/2007i.html#73 public key password authentication
http://www.garlic.com/~lynn/2007i.html#74 public key password authentication

where there is possibly the suggestion that if the only thing being performed
is authentication (and doesn't require either integrity and/or privacy) ...
then possibly a totally different protocol by utilized (rather than
digital signature) ... to help minimize the apparent extensive (human)
confusion where the same technology might be used for both authentication
only operations as well as authentication plus integrity operations
(and where having the word "signature" in the term also appears to
contribute significant additional confusion).

however, in the x-over thread from sci.crypt ... i mention that if both authentication and integrity are both required ... that potentially
if they are done as separate operation ... that there can be (security)
openings provided to attackers for things like man-in-the-middle attacks.

in the "naked" transaction metaphor mentioned in these postings
http://www.garlic.com/~lynn/subintegrity.html#payments

it is possible that if authentication is performed separately from any
integrity provisions applied to the actual transactions ... that it may
be an opening for a man-in-the-middle attack (or other kinds of attacks)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to