Date: Mon, 05 Nov 2001 12:43:23 -0500
From: "Miller, Robert (GXS)" <Robert.Miller@gxs.ge.com>
I agree with David Fischer: almost always, you want to sign and
then encrypt rather than the other way.
Well now, the 'King' sealed his envelopes with a wax stamp using the ring he
wore on his hand.
Having provided some precedence for 'encrypt then sign',
I don't think this is an example of "encrypt then sign". It's more
like doing both at once: the sealing wax ensures confidentiality,
integrity, and authenticity, all at once.
Problems with "encrypt then sign" include:
If Alice encrypts-then-signs a message and sends it to Bob, Bob can
decrypt it and verify the signature, but if Bob wants to show it to
Carol, and passes on the original message and cleartext, Carol might
accuse Bob of lying about which letter arrived in which envelope.
With sign-then-encrypt, Bob can decrypt and then give the signed
message to Carol.
With sign-then-encrypt, an adversary can't remove a signature from
the message and add his own.
And if the text to be signed is not visible to the signer (because
it's encrypted), the signature may have little legal force.
Reference: "Applied Cryptography" by Bruce Schnier, section
2.7 "Digital Signatures with Encryption".
-- Dan