[messaging] Transparency for E2E encrypted messaging at a centralized service
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Mar 28 14:22:34 PDT 2014
On 03/28/2014 05:06 PM, Michael Rogers wrote:
> On 27/03/14 17:47, Daniel Kahn Gillmor wrote:
>> if all you care about is a MAC, then you don't need certification
>> of the key out-of-band. stuffing any arbitrary signing key in-band
>> with the message and a signature over it, and having the recipient
>> verify the signature, will give you the equivalent of a MAC on an
>> unsigned message.
> No it won't. A man-in-the-middle can strip off the signing key and
> signature, modify the body, and attach a new signing key and
Wait, how does the MiTM do this without knowing the shared password?
The signing key and the signature are inside the encrypted bundle.
I'm not saying this is a great scheme to use, and i'm not recommending
it; but i don't see how an attacker without knowledge of the shared
password can modify the contents of an encrypted message without
detection, as long as the recipient knows to expect a bundled signing key.
(and i know, the scheme proposed here is mac-then-encrypt, which is bad
news for a number of reasons, but it should still be integrity-protected
Sorry if i'm just being dense; feel free to point out if there's
something obvious i'm missing.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1010 bytes
Desc: OpenPGP digital signature
More information about the Messaging