[messaging] Transparency for E2E encrypted messaging at a centralized service

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 28 14:22:34 PDT 2014


On 03/28/2014 05:06 PM, Michael Rogers wrote:
> On 27/03/14 17:47, Daniel Kahn Gillmor wrote:
>> if all you care about is a MAC, then you don't need certification
>> of the key out-of-band.  stuffing any arbitrary signing key in-band
>> with the message and a signature over it, and having the recipient
>> verify the signature, will give you the equivalent of a MAC on an
>> unsigned message.
> 
> No it won't. A man-in-the-middle can strip off the signing key and
> signature, modify the body, and attach a new signing key and
> signature.

Wait, how does the MiTM do this without knowing the shared password?
The signing key and the signature are inside the encrypted bundle.

I'm not saying this is a great scheme to use, and i'm not recommending
it; but i don't see how an attacker without knowledge of the shared
password can modify the contents of an encrypted message without
detection, as long as the recipient knows to expect a bundled signing key.

(and i know, the scheme proposed here is mac-then-encrypt, which is bad
news for a number of reasons, but it should still be integrity-protected
at least)

Sorry if i'm just being dense; feel free to point out if there's
something obvious i'm missing.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140328/fd795229/attachment.sig>


More information about the Messaging mailing list