On 11 February 2015 at 05:26, Mike Hearn <[email protected]> wrote: >> Do you say that from a political sense or from a technical sense of >> the S/MIME spec? I regularly don't sign my emails for a host of >> reasons even though I encrypt them. > > > S/MIME presumably allows it, as messages done this way are still readable > without errors. But normally you want to authenticate after encryption, > right? Otherwise there can be odd attacks based on bit-flipping that can > result in a message that decrypts successfully but doesn't say what the > sender thought they said. There have been a bunch of crypto exploits based > on this technique over the years.
Only if you're constrained by the format I suppose. You can Encrypt+MAC, asymmetrically encrypting a secret that's used to derive both the hmac and symmetric keys; or you can asymmetrically encrypt a key to be used for an AEAD mode. PGP has this janky MDC thing http://tools.ietf.org/html/rfc4880#section-5.14 that would prevent a bitflipped message from getting through, but not side channels or attacks on the decryption process. -tom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
