Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Signing before Encryption and Signing after Encryption

From: "John Lightfoot" <jlightfoot () gmail com>
Date: Tue, 21 Mar 2006 13:17:04 -0600
It's my belief that it's better to sign before encryption.  That way, when
you sign the document, you know what you've signed.  If you encrypt the
message before signing it, you're verifying that you sent the encrypted
text, but you have no proof that the encryption process didn't change the
contents of what you signed.

A signing process must use asymmetric keys.  The private key is used to sign
the document, the reason the signature is valid is because the signer is the
only person who has access to the private key.  In order to verify a
signature, the recipient uses the public key.

Encryption can use either symmetric or asymmetric keys.  In general, there
is more computational overhead in using asymmetric keys, but there is
potentially more risk to using symmetric keys since the key must be shared
with the recipient.  SSL uses both types of encryption.  It uses asymmetric
keys in order to establish the initial secure channel, then uses that
channel to exchange the symmetric keys.  The symmetric keys are then used to
encrypt further communication with lower overhead.

-----Original Message-----
From: shyaam () gmail com [mailto:shyaam () gmail com] 
Sent: Tuesday, March 21, 2006 11:28 AM
To: security-basics () securityfocus com
Subject: Signing before Encryption and Signing after Encryption

Hello All,
I was asked a question in an interview. I would like to know more about
this. I am sorry if it is really basic question.

What are the tradeoffs between Signing before Encryption and Signing after
Encryption? Please do let me know on either case when you use a Symmetric
Key and an Asymmetric key. 

I am sure that this is a very basic question. I appologize again.

Kind Regards,
Shyaam

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and the
case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: