-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 28/03/14 21:22, Daniel Kahn Gillmor wrote: > Wait, how does the MiTM do this without knowing the shared > password? The signing key and the signature are inside the > encrypted bundle. > > I'm not saying this is a great scheme to use, and i'm not > recommending it; but i don't see how an attacker without knowledge > of the shared password can modify the contents of an encrypted > message without detection, as long as the recipient knows to expect > a bundled signing key.
If the encryption is malleable (eg counter mode) and the MITM knows the plaintext of the signing key and signature (eg because the sender shared the same file with the MITM) then the MITM can modify the body and replace the signing key and signature without knowing the encryption key. I'm sure it would be possible to design a safe way of doing what you suggest - perhaps by picking appropriate encryption and signature primitives, and/or ensuring that signature keys are never reused - but to me it seems safer and simpler to use a MAC, which is meant for this purpose. Sorry this has turned into such a long thread, I really just meant it as an aside. :-) Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJTNe4RAAoJEBEET9GfxSfMQBEH/RbdcADJcNTdmO5/O+LGrN56 MZPdMSUI/w9sIYiPmjY2CY1JuGf1r8W8vLs9WBYUgDJQyLBtThpunKF2UuBXJVde xfZ4qc70yaRS5SgKdPNbFeSsSerqzAjF1ClodINzXOTwwCEynI3owCM2iD9igVC1 AS2lZf5Coh6T9rG/2Q3m0TpN4yj7lzn5rbXhz0YaIg1Ure12WzzktoSSBdN2/Q/W DMllBSEb1yj10rw8oZ3wW7flPBj+EySjh54ZU7Rik1eqj7ueWzZwMsLth437UT2Z zphpT4C8RG/UMRx0NDcv+zhG9jh/+bGmOuHlqkct+ARAPSOVSzmxZwfpyY+Fqj0= =i8W8 -----END PGP SIGNATURE----- _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
