Re: Combining signing and encrypting

David Solo,, writes:
> At the workshop, I promised to send a couple paragraphs on minimum
> requirements around handling documents with both encryption and signatures
> (sorry about the delay, I've been moving and on vacation).
> In general, both signature and encryption operations may be performed on
> an XML document.  Depending on the usage case (see below), a signature
> may be applied to plaintext or ciphertext portions of documents.
> To verify a signature, the recipient must know whether to decrypt
> before or after signature verification (possibly differently for
> different encrypted portions).  In order to enable efficient and
> automated signature validation, a goal of the design should be to allow
> well-behaved applications to indicate to the verifier/recipient how
> to unambiguously figure out in which order to perform decryption and
> signature validation operations (ill-behaved applications may always cause
> things to break). [Note: the suggestion is to add this last sentence to
> the requirements document.]

One approach would be, when signing before encrypting, to always encrypt
the signature block along with the data being encrypted.  This is good for
two reasons.  First, since the sig can't be verified without decrypting
the data, you might as well do this.

Second, if you don't do this, the signature may leak information about
the data being encrypted.  In particular it allows for guesses at the
content of the encrypted data to be confirmed.

Hal Finney PGP Security

Received on Tuesday, 21 November 2000 13:51:43 UTC