0

What is the correct procedure in sending an authenticated message, I've been researching and have been getting different answers, such as hash-then-sign [1], [2] , sign-then-encrypt [3] (but the link wasn't specific for RSA).

  1. Do I send the hash-then-sign (with something like RSA-PSS PKCS#1) and attach it to the message or encrypted message?
  2. Do I use sign-then-encrypt, I tried searching "sign then encrypt rsa", with no result on the scheme used, what cryptographic scheme would I use? Would I just use RSA-sign and RSA-encrypt?
  3. Do I combine them and use hash-then-sign-then-encrypt and just send it as one, is there a cryptographic scheme for this?
Community
  • 1
user153882
  • 507
  • 6
  • 17
  • Signing generally includes hashing to make it possible to sign larger messages. So there is in practice no difference between hash-then-sign and just sign. – Maarten Bodewes Dec 11 '16 at 02:45
  • The archetypal mistake would be to send in clear the signature of (the hash of) the message itself, for it would allow to check a guess of the message. – fgrieu Dec 11 '16 at 11:06

1 Answers1

2

The archetypal mistake would be to send in clear the signature of (the hash of) the message itself, for it would allow to check a guess of the message.

This leaves us with (at least) two general safe sketches (the first having advantages including allowing earlier elimination of bogus messages on the receiver side)

  • encrypt, then sign the whole encrypted message;
  • sign, then encrypt the whole signed message.

In both cases

  • encrypt can be: draw a random key, then apply encryption padding, then apply the RSA exponentiation with a receiver's trusted public key, then append to that cryptogram the encryption of the input with a symmetric cryptosystem using said random key;
  • sign can be: hash he input, then apply a signature padding, then apply the RSA exponentiation with a sender's private key, then append that signature to the input.
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Say we have enough space and computing power, what would you say about s = sign(m), c = encrypt(m, s), sign(c)? – Maarten Bodewes Dec 11 '16 at 13:59
  • 1
    @Maarten Bodewes: yes, sending your (c,sign(c)) works; from an integrity perspective, that's belt and suspenders. – fgrieu Dec 11 '16 at 15:56
  • 1
    Just wanted to indicate this option. It lets you validate before decryption (less vulnerable against padding oracle attacks etc.) while still providing non-repudiation of the plaintext message in case you don't want to store the data encrypted. – Maarten Bodewes Dec 11 '16 at 16:08