Cryptography Reference
In-Depth Information
The problem here is that Charlie has received a message that is both encrypted
and digitally signed (by Alice). Charlie will want to reasonably conclude that
this is evidence that Alice was the origin of the data (which she was), and that
nobody else has been able to view the data en route from Alice to Charlie. But
this, as we have just seen, is certainly not the case.
Encrypt-then-sign
. This involves Alice encrypting the data using Bob's public
encryption key and then digitally signing the ciphertext. The ciphertext and
the digital signature are then sent to Bob. However, in this case an attacker
who intercepts the resulting message can:
1. create their own digital signature on the ciphertext;
2. forward the ciphertext and the attacker's digital signature to Bob, who verifies
the attacker's digital signature and then decrypts the ciphertext.
In this case Bob will want to conclude that the recovered data has been sent to
him by the attacker. However, this is certainly not the case since the attacker
does not even know what the data is.
The above problems did not arise in Section 6.3.6 due to the fact that the use of
symmetric keys involves an implicit indication of the originator and intended
recipient of a message. By their very nature, this is not the case for use of
public keys. The simplest way of providing this assurance when using public-key
cryptography is to make sure that:
• the data that is encrypted always includes the sender's identity;
• the data that is digitally signed always includes the receiver's identity.
If this is done then the 'attacks' on sign-then-encrypt and encrypt-then-sign are
not possible.
An alternative solution is to use a dedicated cryptographic primitive that
simultaneously encrypts and digitally signs data in a secure way. Such primitives
are often referred to as
signcryption schemes
and can be regarded as the
public-key cryptography equivalent of authenticated-encryption primitives (see
Section 6.3.6). Signcryption schemes have not yet seen wide adoption, but
they are beginning to be standardised, so this situation may change in the
future.
7.4.3
Relationship with handwritten signatures
Earlier in Section 7.1.2 we commented on the importance of resisting any
temptation to consider digital signatures as a direct electronic 'equivalent' of
handwritten signatures. Now that we have discussed digital signatures at some
length, it is time to look more closely at the relationship between these two
concepts.
