[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: blinding & PGP

It occured to me over lunch that PGP IDEA encrypts files; what is RSA
encrypted are session keys, hashes, etc.  

So you never really digitally sign the file itself, you instead
digitally sign the portion that contains the session key used, hashes
and so forth.

Again, I'm sure PGP doesn't blind the RSA portion, so I would
say you can't bamboozle someone into signing a blinded document with

Now, as for verifying a commercial version of PGP by comparing
encrypts... it all depends on how exactly randseed.bin figures into
the session key creation.  Two files encrypted with the same public
key could compare very differently if the random session keys are
different, since the IDEA encryptions would differ and the so would
the MD5 hashes, and so forth.

I'm not sure if additional info besides the randseed.bin file goes
into session key creation.

| Karl L. Barrus                                   |
| [email protected]                         |
| D1 59 9D 48 72 E9 19 D5  3D F3 93 7E 81 B5 CC 32 |