3

In hybrid encryption we use an asymmetric encryption scheme and the recipients public key to encrypt a symmetric encryption key $K$. I will denote the resulting ciphertext $C_A$. We then use a symmetric encryption scheme to encrypt a message $M$. I will denote the ciphertext of the symmetric encryption scheme $C_S$. Finally we send to the recipient both $C_A$ and $C_S$. The recipient then decrypts $C_A$ to extract $K$ and then decrypts $C_S$ to get $M$.

I am aware that sign-then-encrypt is recommended for authenticating asymmetric encryption. However, in the case of hybrid encryption there seems to be two options, either sign $M$ or sign $K$. It appears to me both options could work provided the symmetric encryption scheme is authenticated, e.g., using an authenticated mode, encrypt-then-mac or similar.

My question is, what is the "best practice" to authenticate in such an encryption scheme? I am guessing there could be some more or less subtle reasons to chose one over the other.

Guut Boy
  • 2,877
  • 16
  • 25
  • See also https://crypto.stackexchange.com/q/46480/31519. The thing is that it's possible to modify $C_S$ so that it would be still decryptable into some readable $M$. The solutions seems to either sign both $M$ and $K$ or sign only $K$ but also use HMAC. – ddnomad Apr 21 '17 at 10:46
  • This is why I assume the symmetric encryption, i.e. $C_S$, to be authenticated as desribed. – Guut Boy Apr 21 '17 at 10:57
  • 1
    If only K is signed, then when Bob gets a message from Alice, then he could write a new message to Charlie with the K and signature from Alice's message and any message Bob wants, and Charlie will think it's from Alice. – Macil Apr 22 '17 at 00:08

0 Answers0