On 03/28/2014 05:06 PM, Michael Rogers wrote: > On 27/03/14 17:47, Daniel Kahn Gillmor wrote: >> if all you care about is a MAC, then you don't need certification >> of the key out-of-band. stuffing any arbitrary signing key in-band >> with the message and a signature over it, and having the recipient >> verify the signature, will give you the equivalent of a MAC on an >> unsigned message. > > No it won't. A man-in-the-middle can strip off the signing key and > signature, modify the body, and attach a new signing key and > signature.
Wait, how does the MiTM do this without knowing the shared password?
The signing key and the signature are inside the encrypted bundle.
I'm not saying this is a great scheme to use, and i'm not recommending
it; but i don't see how an attacker without knowledge of the shared
password can modify the contents of an encrypted message without
detection, as long as the recipient knows to expect a bundled signing key.
(and i know, the scheme proposed here is mac-then-encrypt, which is bad
news for a number of reasons, but it should still be integrity-protected
at least)
Sorry if i'm just being dense; feel free to point out if there's
something obvious i'm missing.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
