On Wed, Feb 05, 2014 at 01:03:00AM +0400, Yuriy Kaminskiy wrote:
And, same with pgp & co, it is vulnerable to "Surreptitious Forwarding" [1]: Alice sends to Bob "I love you", Bob decrypt message, re-encrypt it to Charlie, keeping Alice signature intact. To avoid this problem, you can include "len(recipients list)|recipients list" in signed material (thus, any attempt to alter recipient list will automagically invalidate signature) [XXX: not exactly usual, requires review].
Good, I changed the scheme then. However, instead of adding the recipient list to the signature, I add it to the hash, since I sign the hash only anyway; and because it is a) easier to code and b) results in a signature with a static size. So, now the signature looks like this: nonce|crypto_secret_box( crypto_sign( crypto_generichash(cleartext + encrypted-recipientlist) ), nonce, symkey) Everything else is unchanged. So, an encrypted+signed file contains the number of recipients, the recipient-list (which consists of the pk-encrypted ephemeral key per user), the 32k-blockwise sym-encrypted message, followed by the encrypted signature. As usual the nonce used to encrypt the sig is prepended. - Tom -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.