[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Tom Ritter tom at ritter.vg
Wed Feb 11 03:56:44 PST 2015

On 11 February 2015 at 05:26, Mike Hearn <mike at plan99.net> wrote:
>> Do you say that from a political sense or from a technical sense of
>> the S/MIME spec?  I regularly don't sign my emails for a host of
>> reasons even though I encrypt them.
> S/MIME presumably allows it, as messages done this way are still readable
> without errors. But normally you want to authenticate after encryption,
> right? Otherwise there can be odd attacks based on bit-flipping that can
> result in a message that decrypts successfully but doesn't say what the
> sender thought they said. There have been a bunch of crypto exploits based
> on this technique over the years.

Only if you're constrained by the format I suppose.  You can
Encrypt+MAC, asymmetrically encrypting a secret that's used to derive
both the hmac and symmetric keys; or you can asymmetrically encrypt a
key to be used for an AEAD mode.

PGP has this janky MDC thing
http://tools.ietf.org/html/rfc4880#section-5.14 that would prevent a
bitflipped message from getting through, but not side channels or
attacks on the decryption process.


More information about the Messaging mailing list