consistent pcp/pbp formats
Thomas von Dein
tom at vondein.org
Wed Feb 5 04:51:10 PST 2014
On Wed, Feb 05, 2014 at 01:03:00AM +0400, Yuriy Kaminskiy wrote:
> And, same with pgp & co, it is vulnerable to "Surreptitious Forwarding" :
> Alice sends to Bob "I love you", Bob decrypt message, re-encrypt it to Charlie,
> keeping Alice signature intact. To avoid this problem, you can include
> "len(recipients list)|recipients list" in signed material (thus, any attempt to
> alter recipient list will automagically invalidate signature) [XXX: not exactly
> usual, requires review].
Good, I changed the scheme then. However, instead of adding the
recipient list to the signature, I add it to the hash, since I
sign the hash only anyway; and because it is a) easier to code and b)
results in a signature with a static size.
So, now the signature looks like this:
nonce|crypto_secret_box( crypto_sign( crypto_generichash(cleartext + encrypted-recipientlist) ), nonce, symkey)
Everything else is unchanged. So, an encrypted+signed file contains the
number of recipients, the recipient-list (which consists of the
pk-encrypted ephemeral key per user), the 32k-blockwise sym-encrypted
message, followed by the encrypted signature. As usual the nonce used to
encrypt the sig is prepended.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the cypherpunks