[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

consistent pcp/pbp formats

On Wed, Feb 05, 2014 at 01:03:00AM +0400, Yuriy Kaminskiy wrote:
> And, same with pgp & co, it is vulnerable to "Surreptitious Forwarding" [1]:
> Alice sends to Bob "I love you", Bob decrypt message, re-encrypt it to Charlie,
> keeping Alice signature intact. To avoid this problem, you can include
> "len(recipients list)|recipients list" in signed material (thus, any attempt to
> alter recipient list will automagically invalidate signature) [XXX: not exactly
> usual, requires review].

Good, I changed the scheme then. However, instead of adding the
recipient list to the signature, I add it to the hash, since I
sign the hash only anyway; and because it is a) easier to code and b)
results in a signature with a static size.

So, now the signature looks like this:

nonce|crypto_secret_box( crypto_sign( crypto_generichash(cleartext + encrypted-recipientlist) ), nonce, symkey)

Everything else is unchanged. So, an encrypted+signed file contains the
number of recipients, the recipient-list (which consists of the
pk-encrypted ephemeral key per user), the 32k-blockwise sym-encrypted
message, followed by the encrypted signature. As usual the nonce used to
encrypt the sig is prepended.

- Tom

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.