[messaging] Transparency for E2E encrypted messaging at a centralized service

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 28/03/14 21:22, Daniel Kahn Gillmor wrote:
> Wait, how does the MiTM do this without knowing the shared
> password? The signing key and the signature are inside the
> encrypted bundle.
> 
> I'm not saying this is a great scheme to use, and i'm not
> recommending it; but i don't see how an attacker without knowledge
> of the shared password can modify the contents of an encrypted
> message without detection, as long as the recipient knows to expect
> a bundled signing key.

If the encryption is malleable (eg counter mode) and the MITM knows
the plaintext of the signing key and signature (eg because the sender
shared the same file with the MITM) then the MITM can modify the body
and replace the signing key and signature without knowing the
encryption key.

I'm sure it would be possible to design a safe way of doing what you
suggest - perhaps by picking appropriate encryption and signature
primitives, and/or ensuring that signature keys are never reused - but
to me it seems safer and simpler to use a MAC, which is meant for this
purpose.

Sorry this has turned into such a long thread, I really just meant it
as an aside. :-)

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJTNe4RAAoJEBEET9GfxSfMQBEH/RbdcADJcNTdmO5/O+LGrN56
MZPdMSUI/w9sIYiPmjY2CY1JuGf1r8W8vLs9WBYUgDJQyLBtThpunKF2UuBXJVde
xfZ4qc70yaRS5SgKdPNbFeSsSerqzAjF1ClodINzXOTwwCEynI3owCM2iD9igVC1
AS2lZf5Coh6T9rG/2Q3m0TpN4yj7lzn5rbXhz0YaIg1Ure12WzzktoSSBdN2/Q/W
DMllBSEb1yj10rw8oZ3wW7flPBj+EySjh54ZU7Rik1eqj7ueWzZwMsLth437UT2Z
zphpT4C8RG/UMRx0NDcv+zhG9jh/+bGmOuHlqkct+ARAPSOVSzmxZwfpyY+Fqj0=
=i8W8
-----END PGP SIGNATURE-----