W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2000

Re: Combining signing and encrypting

From: <hal@finney.org>
Date: Tue, 21 Nov 2000 10:52:25 -0800
Message-Id: <200011211852.KAA30847@finney.org>
To: david.solo@citicorp.com, xml-encryption@w3.org
David Solo, david.solo@citicorp.com, writes:
> At the workshop, I promised to send a couple paragraphs on minimum
> requirements around handling documents with both encryption and signatures
> (sorry about the delay, I've been moving and on vacation).
> In general, both signature and encryption operations may be performed on
> an XML document.  Depending on the usage case (see below), a signature
> may be applied to plaintext or ciphertext portions of documents.
> To verify a signature, the recipient must know whether to decrypt
> before or after signature verification (possibly differently for
> different encrypted portions).  In order to enable efficient and
> automated signature validation, a goal of the design should be to allow
> well-behaved applications to indicate to the verifier/recipient how
> to unambiguously figure out in which order to perform decryption and
> signature validation operations (ill-behaved applications may always cause
> things to break). [Note: the suggestion is to add this last sentence to
> the requirements document.]

One approach would be, when signing before encrypting, to always encrypt
the signature block along with the data being encrypted.  This is good for
two reasons.  First, since the sig can't be verified without decrypting
the data, you might as well do this.

Second, if you don't do this, the signature may leak information about
the data being encrypted.  In particular it allows for guesses at the
content of the encrypted data to be confirmed.

Hal Finney PGP Security
Received on Tuesday, 21 November 2000 13:51:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:00 UTC