[cryptography] deniable store and forward with integrity protection?
david-sarah at jacaranda.org
Tue Feb 15 23:35:52 EST 2011
On 2011-02-16 03:49, Adam Back wrote:
> Ian Brown and I proposed a simpler, non-interactive, approach for use in
> openPGP we called "non-transferable signatures"
> The basic idea is you use an integrity protected (non-malleable) symmetric
> encryption option in PGP, and then change the signature packet to be a
> public key signature of the hash of the symmetric key and the recipients
> public key.
> RSA_Enc( B_pub, sk ) +
> RSA_Sig( A_pri, H( sk, B_pub ) ) +
> c = Sym_Enc( sk, M ) +
> Mac( sk, c )
> it proves A sent B a message, but only proves the content of the message to
> B, if B attempts to transfer the signature to C, C cant distinguish whether
> B forged the message vs A signed the message.
This protocol and the one I gave in my earlier reply on this thread are
similar, but this one uses Encrypt-and-Sign rather than Encrypt-then-Sign.
It relies on the fact that B_pub is included in H( sk, B_pub ) to prevent
the forgery attacks I pointed out there.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 292 bytes
Desc: OpenPGP digital signature
More information about the cryptography