RE: Signing before Encryption and Signing after Encryption
- From: "David Gillett" <gillettdavid@xxxxxxxx>
- Date: Wed, 22 Mar 2006 12:10:47 -0800
Good points.
If both asymmetric keys are used, the private key needs to be
used first (for the same reasons that signing should be done
first). [Hmmm. This only works if the encryption is NOT transitive,
ie F(k1,F(k2,t)) <> F(k2,F(k1,t)). I don't recall seeing this
property discussed as a characteristic of encryption algorithms,
so I'm not sure whether it's taken for granted, or relatively
rare.]
If the signing is done over the whole message and not just the
hash, you no longer need to include the original text, so the
message size shrinks back to the original, not double. (But
that's with the overhead of two asymmetric encryptions, so
you get to trade CPU load against message inflation.)
David Gillett
-----Original Message-----
From: Gregory Rubin [mailto:grrubin@xxxxxxxxx]
Sent: Wednesday, March 22, 2006 10:09 AM
To: gillettdavid@xxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Signing before Encryption and Signing after Encryption
David,
Encrypting with a private key is equivalent to signing it
(and is actually how signing usually takes place). So in
your scenario (using solely asymmetric keys):
Alice encrypts the message first with Bob's public key and
then with Alice's private key.
Mallory decrypts the message with Alice's public key (since
the public key is the inverse of the private key) and is left
with just the message encrypted to Bob's public key.
The attack proceeds as before.
Signing a message usually consists of encrypting a secure
hash of the message with your private key. Using a hash
(even one such as MD5 or
SHA1) does not add to the security at all, but instead
weakens the security of the signature. The only reason for
the hash is efficiency. As already noted in this thread,
asymmetric encryption is slow, so by only signing the hash,
it is much faster. Also, if instead of signing the hash you
were to sign the message, you'd double the size of the
message that needs to be transmitted. Using hashes
introduces all of the risks associated with hash collisions,
a risk that would never occur if you were to sign the message
directly.
(Please correct me if I'm wrong. It's been a while since
I've worked on the underlying math and strategies.)
On 3/22/06, David Gillett <gillettdavid@xxxxxxxx> wrote:
You're quite correct. I can think of cases where I'dwant to have
the encrypted text signed (more often by a machine than by acommonly used
human...), but you've reminded me why that's not an acceptable
substitute for signing the plaintext.
IFF you do the encryption with Asymmetric keys, Alice can encrypt
the message with both Bob's public key and her own private key, but
we've already talked about why Symmetric keys are more
for encryption.*invisibly* all the
"Sign after encryption" allows for a message to be encrypted by
anyone who has the symmetric key, and signed by someone else; "sign
before encryption" confirms that Alice signed the text and we don't
care who encrypted it.
And actually, "sign before encryption" happens
time, as signed messages may travel across encrypted links and beEncryption
automatically decrypted before delivery.
I stand corrected.
David Gillett
-----Original Message-----
From: Gregory Rubin [mailto:grrubin@xxxxxxxxx]
Sent: Tuesday, March 21, 2006 6:53 PM
To: gillettdavid@xxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Signing before Encryption and Signing after
possible to
The problem with signing after encryption is that it is
Considerstrip the signature off and claim a message as your own.
message, but shethe following situation (encrypted text is signed, not the plain
text).
Alice wants to authenticate herself to Bob, so she composes a
message with secret information, encrypts it to Bob's public key,
and then signs it with her private key and sends it off.
Mallory intercepts the message. She can't read the
her key andcan strip off the signature so she now just has the message
encrypted to Bob's key. She now signs the message with
message withsends it on.
Bob now receives the secret information in an encrypted
Mallory knowsa valid signature by Mallory. Ergo, he believes that
Symmetric,this secret information. This is a problem.
If the signature is on the plain text as opposed to the private
text, this attack fails.
Greg Rubin
On 3/21/06, David Gillett <gillettdavid@xxxxxxxx> wrote:
Signing requires a private key -- therefore, it *must* be
Asymmetric. Asymmetric is typically much slower than
opposite isso you get things like SSL that use Asymmetric to protect theexchange of
the Symmetric key used for actual payload encryption.blocked if the
Signing after encryption allows the signature to be verified
before/without decrypting the payload. There are a variety of
circumstances in which that could be useful, which are
signing is done first. I can't think of any where the
Encryptiontrue.
David Gillett, CISSP
-----Original Message-----
From: shyaam@xxxxxxxxx [mailto:shyaam@xxxxxxxxx]
Sent: Tuesday, March 21, 2006 9:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Signing before Encryption and Signing after
appologize again.and Signing
Hello All,
I was asked a question in an interview. I would like to know
more about this. I am sorry if it is really basic question.
What are the tradeoffs between Signing before Encryption
when you useafter Encryption? Please do let me know on either case
a Symmetric Key and an Asymmetric key.
I am sure that this is a very basic question. I
ONLINE The
Kind Regards,
Shyaam
--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -
with degreeNorwich University program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals
--------------------------------------------------------------------Continuitycustomizations including Emergency Management, Business
Planning, Computer Emergency Response Teams, and Digital
Investigations.
http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------
management--
----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -ONLINE The
Norwich University program offers unparalleled Infosec
with degreeeducation and the case study affords you unmatchedconsulting experience.
Tailor your education to your own professional goals
Continuitycustomizations including Emergency Management, Business
--------------------------------------------------------------------Planning, Computer Emergency Response Teams, and DigitalInvestigations.
http://www.msia.norwich.edu/secfocus
--
-----
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Follow-Ups:
- RE: MS Windows Hidden Shares
- From: Jeffrey Smith
- Re: Signing before Encryption and Signing after Encryption
- From: Gregory Rubin
- RE: MS Windows Hidden Shares
- References:
- Re: Signing before Encryption and Signing after Encryption
- From: Gregory Rubin
- Re: Signing before Encryption and Signing after Encryption
- Prev by Date: Re: application for an employment
- Next by Date: Re: Signing before Encryption and Signing after Encryption
- Previous by thread: Re: Signing before Encryption and Signing after Encryption
- Next by thread: Re: Signing before Encryption and Signing after Encryption
- Index(es):
Relevant Pages
|
|
