RE: Signing encrypted data from hal@finney.org on 2001-03-25 (xml-encryption@w3.org from March 2001)

From: <hal@finney.org>
Date: Sun, 25 Mar 2001 11:11:20 -0800
To: AMIR@newgenpay.com, xml-encryption@w3.org
Message-Id: <200103251911.LAA10490@finney.org>

Amir Herzberg writes:
> I think we get closer to the real issue, which is: the existing spec seems
> to exclude the possibility of signing plaintext (as well as possibly
> ciphertext) of encrypted objects. In many secure e-payments and e-commerce
> applications, we sign plaintext to provide non-repudiation (without exposing
> all content to some parties that still need to verify the signature). I now
> understand that the current draft intentionally excludes this for security
> concerns. 

I understand now what you mean when you say that you can sign the
plaintext and not encrypt the signature while retaining security.
The same technique is used in a MAC, a Message Authentication Code.
It allows for authentication and non-repudiation only to those who
share some secret with the signer.  Such techniques are commonly used
in communication protocols like SSL or IPsec.

However it almost sounds like you are claiming that this form of signature
can be verified by parties who don't have access to the plaintext.
But clearly a hash-based signature, even if it involves some secret
material, can only be verified if the plaintext which was hashed is
available to the verifier.

You write above that you want to provide non-repudiation "without exposing
all content to some parties that still need to verify the signature".
Are you saying that you will not expose some of the SIGNED content to
a party which is nevertheless able to verify the signature?  This is what
seems impossible.

If all you want is to have some data signed-and-then-encrypted, and other
(unsigned) data encrypted under a different key, that is of course easy
using ordinary public key signature technology.  This would satisfy
your requirement to allow parties to verify signatures without exposing
all content to those parties.  However those parties would of course be
exposed to all content which was signed by the signature being verified.

In this case it seems satisfactory to encrypt the signature under the
same key which will be used to decrypt the signed content.  Since they
must have that decryption key in order to see the plaintext so they can
verify the signature, there seems to be no harm in also encrypting the
signature under that same key.

I'd appreciate your help in understanding your goals better.  Thanks -

Hal Finney

Received on Sunday, 25 March 2001 14:14:56 UTC