0

When explaining the concept of signing a message, often it is presented as "encrypting with your private key", so that somebody who has the public key can "decrypt" the signature and verify it. However, PGP signatures (especially detached signatures) allow you to read the plaintext of the message regardless of whether the signature is valid. This might not be desirable in some cases -- for example if there is a chance that the receiver might not want to verify the signature properly, but the message is important enough to warrant requiring such verification.

Is there an option for "real" encryption using the private key in PGP -- a way of signing a message such that if the result is tampered with, the plaintext of the message cannot be recovered?

Danya02
  • 151
  • 1
  • 3
  • I'm confused about your use case. If the message is tampered with then the signature won't verify. So, you want to encrypt and sign as independent functions? Sure, use encryption and then use signing. I'm not seeing the problem. – schroeder Mar 17 '22 at 08:58
  • @schroeder The use case I have in mind is where I want to publish a message that is provably authored by me (so, signed), but I want to force the receiver to verify the signature. With a regular signature, the receiver has an option of not verifying it, and I'd like for it to be impossible. AFAICT a similar behavior can be achieved by setting up an interactive service where the receiver submits their public key, and I send the message encrypted with that key, but that requires communication between me and the receiver which isn't always feasible. – Danya02 Mar 17 '22 at 15:18
  • Related: https://security.stackexchange.com/questions/239219/what-happens-when-i-encrypt-something-with-my-rsa-public-key – mti2935 Mar 17 '22 at 23:28

1 Answers1

0

The explanation you have read seems to only cover RSA signatures. In RSA it is really the case that the signature is an RSA encrypted message hash that can be decrypted by the public key.

Please not that I wrote "RSA encrypted message hash" not RSA encrypted message. That explains why you can read the message without bothering about the signature. The message is always in plain text and the RSA encrypted part only contains the message hash but never the whole message (which would not be possible as RSA can not encrypt data of arbitrary length, the data to be encrypted always have to be some byte smaller than the key size).

Other digital signature algorithms like ECDSA work totally different. They also use the message hash, but the signature algorithm works different than the EC en-/decryption algorithm.

Is there an option for "real" encryption using the private key in PGP -- a way of signing a message such that if the result is tampered with, the plaintext of the message cannot be recovered?

Of course there is. You seem to mix-up signing and encrypting. Before sending a message you can chose if you sign the message, encrypt the message or both (both via PGP). A signature is only useful if you want to protect the message from modification and make the recipient allow to verify that the message originates from you. If you want to protect the content of the message you should encrypt the message, not sign.

Robert
  • 1,403
  • 2
  • 14
  • 14
  • Thanks for the answer, but I am looking specifically for a mechanism that works like signatures do, rather than how encryption does -- that an unspecified group of people who have my public key can view the message, without me having to create a message for each of them using their public keys. The content of the message isn't secret, but I would like to force the receiver to verify it before it can be read. – Danya02 Mar 17 '22 at 08:37
  • @Danya02 What you want is a shared secret but that is not the way PGP or other serious encryption systems work. If you really want it check out the command-line options for using AES encryption/decryption via openssl. You will find a lot questions on that topic on https://stackoverflow.com and https://superuser.com. – Robert Mar 17 '22 at 08:42
  • It sounds like one might want to send (signature, symmetric-encryption-of-message-using-signature-as-key). That still won't force the recipient to validate the signature, but it will prevent them from reading the message if separated from the signature, so the recipient can't claim that the signature didn't arrive / was corrupted – Ben Voigt Mar 17 '22 at 21:05