Security Basics mailing list archives
RE: Signing before Encryption and Signing after Encryption
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 22 Mar 2006 12:10:47 -0800
Good points. If both asymmetric keys are used, the private key needs to be used first (for the same reasons that signing should be done first). [Hmmm. This only works if the encryption is NOT transitive, ie F(k1,F(k2,t)) <> F(k2,F(k1,t)). I don't recall seeing this property discussed as a characteristic of encryption algorithms, so I'm not sure whether it's taken for granted, or relatively rare.] If the signing is done over the whole message and not just the hash, you no longer need to include the original text, so the message size shrinks back to the original, not double. (But that's with the overhead of two asymmetric encryptions, so you get to trade CPU load against message inflation.) David Gillett
-----Original Message----- From: Gregory Rubin [mailto:grrubin () gmail com] Sent: Wednesday, March 22, 2006 10:09 AM To: gillettdavid () fhda edu Cc: security-basics () securityfocus com Subject: Re: Signing before Encryption and Signing after Encryption David, Encrypting with a private key is equivalent to signing it (and is actually how signing usually takes place). So in your scenario (using solely asymmetric keys): Alice encrypts the message first with Bob's public key and then with Alice's private key. Mallory decrypts the message with Alice's public key (since the public key is the inverse of the private key) and is left with just the message encrypted to Bob's public key. The attack proceeds as before. Signing a message usually consists of encrypting a secure hash of the message with your private key. Using a hash (even one such as MD5 or SHA1) does not add to the security at all, but instead weakens the security of the signature. The only reason for the hash is efficiency. As already noted in this thread, asymmetric encryption is slow, so by only signing the hash, it is much faster. Also, if instead of signing the hash you were to sign the message, you'd double the size of the message that needs to be transmitted. Using hashes introduces all of the risks associated with hash collisions, a risk that would never occur if you were to sign the message directly. (Please correct me if I'm wrong. It's been a while since I've worked on the underlying math and strategies.) On 3/22/06, David Gillett <gillettdavid () fhda edu> wrote:You're quite correct. I can think of cases where I'dwant to havethe encrypted text signed (more often by a machine than by a human...), but you've reminded me why that's not an acceptable substitute for signing the plaintext. IFF you do the encryption with Asymmetric keys, Alice can encrypt the message with both Bob's public key and her own private key, but we've already talked about why Symmetric keys are morecommonly usedfor encryption. "Sign after encryption" allows for a message to be encrypted by anyone who has the symmetric key, and signed by someone else; "sign before encryption" confirms that Alice signed the text and we don't care who encrypted it. And actually, "sign before encryption" happens*invisibly* all thetime, as signed messages may travel across encrypted links and be automatically decrypted before delivery. I stand corrected. David Gillett-----Original Message----- From: Gregory Rubin [mailto:grrubin () gmail com] Sent: Tuesday, March 21, 2006 6:53 PM To: gillettdavid () fhda edu; security-basics () securityfocus com Subject: Re: Signing before Encryption and Signing afterEncryptionThe problem with signing after encryption is that it ispossible tostrip the signature off and claim a message as your own.Considerthe following situation (encrypted text is signed, not the plain text). Alice wants to authenticate herself to Bob, so she composes a message with secret information, encrypts it to Bob's public key, and then signs it with her private key and sends it off. Mallory intercepts the message. She can't read themessage, but shecan strip off the signature so she now just has the message encrypted to Bob's key. She now signs the message withher key andsends it on. Bob now receives the secret information in an encryptedmessage witha valid signature by Mallory. Ergo, he believes thatMallory knowsthis secret information. This is a problem. If the signature is on the plain text as opposed to the private text, this attack fails. Greg Rubin On 3/21/06, David Gillett <gillettdavid () fhda edu> wrote:Signing requires a private key -- therefore, it *must* be Asymmetric. Asymmetric is typically much slower thanSymmetric,so you get things like SSL that use Asymmetric to protect theexchange ofthe Symmetric key used for actual payload encryption. Signing after encryption allows the signature to be verified before/without decrypting the payload. There are a variety of circumstances in which that could be useful, which areblocked if thesigning is done first. I can't think of any where theopposite istrue. David Gillett, CISSP-----Original Message----- From: shyaam () gmail com [mailto:shyaam () gmail com] Sent: Tuesday, March 21, 2006 9:28 AM To: security-basics () securityfocus com Subject: Signing before Encryption and Signing afterEncryptionHello All, I was asked a question in an interview. I would like to know more about this. I am sorry if it is really basic question. What are the tradeoffs between Signing before Encryptionand Signingafter Encryption? Please do let me know on either casewhen you usea Symmetric Key and an Asymmetric key. I am sure that this is a very basic question. Iappologize again.Kind Regards, Shyaam -------------------------------------------------------------- ------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -ONLINE TheNorwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goalswith degreecustomizations including Emergency Management, BusinessContinuityPlanning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- ---------------------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -ONLINE TheNorwich University program offers unparalleled Infosecmanagementeducation and the case study affords you unmatchedconsulting experience.Tailor your education to your own professional goalswith degreecustomizations including Emergency Management, BusinessContinuityPlanning, Computer Emergency Response Teams, and DigitalInvestigations.http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Signing before Encryption and Signing after Encryption shyaam (Mar 21)
- RE: Signing before Encryption and Signing after Encryption Adrian Floarea (Mar 21)
- RE: Signing before Encryption and Signing after Encryption John Lightfoot (Mar 21)
- RE: Signing before Encryption and Signing after Encryption David Gillett (Mar 21)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 21)
- RE: Signing before Encryption and Signing after Encryption David Gillett (Mar 22)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 22)
- RE: Signing before Encryption and Signing after Encryption David Gillett (Mar 24)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 24)
- RE: MS Windows Hidden Shares Jeffrey Smith (Mar 27)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 21)
- <Possible follow-ups>
- RE: Signing before Encryption and Signing after Encryption Craig Wright (Mar 22)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 22)
- RE: Signing before Encryption and Signing after Encryption John Lightfoot (Mar 24)
- Re: Signing before Encryption and Signing after Encryption Greg Rubin (Mar 24)
- Re: Signing before Encryption and Signing after Encryption Gregory Rubin (Mar 22)
- RE: Signing before Encryption and Signing after Encryption David Gillett (Mar 22)
- RE: Signing before Encryption and Signing after Encryption David Gillett (Mar 24)