crypto flaw in secure mail standards (was: Order of encryption and authentication) - sci.crypt

This is a Usenet group - learn more

View this group in the new Google Groups

Message from discussion crypto flaw in secure mail standards (was: Order of encryption and authentication)

D. J. Bernstein

View profile

More options Jul 2 2001, 12:41 am

Newsgroups: sci.crypt

From: d...@cr.yp.to (D. J. Bernstein)

Date: 2 Jul 2001 04:24:05 GMT

Local: Mon, Jul 2 2001 12:24 am

Subject: Re: crypto flaw in secure mail standards (was: Order of encryption and authentication)

Print | View thread | Show original | Report this message | Find messages by this author

Anyone can verify a public-key signature.

This is the whole point of public-key signatures. Verification isn't
limited to the people who can create signatures.

This is, however, a useless feature for private email. Sometimes it's
downright dangerous.

In contrast, with public-key authenticators, verification is limited to
the sender and the receiver. The receiver can't convince anyone else
that the message was created by the sender; the receiver could have
computed the same authenticator.

What is a public-key authenticator? It's a secret-key authenticator,
with a key derived from g^xy, where g^x and g^y are the public keys of
the sender and the receiver.

If you were already planning to encrypt the message, using another key
derived from g^xy, then you don't have to do any extra public-key work.
A secret-key authenticator is easier to implement than a public-key
signature, and it takes less CPU time to compute.

---Dan

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options