15

My question is about the difference between signing and encrypting. Why would you still sign something if you are already going to PKI encrypt it?

Doesn't the PKI encryption inherently provide authentication, integrity and non-repudiation?

==added later===

What if I use my private key to encrypt my message. Then anyone can decrypt this message with my public key so it is not private, but all who do, know it is from me because it was decrypted by my public key. Also all know it wasn't tampered with precisely because they could decrypt it

Jaap
  • 167
  • 1
  • 6
  • 4
    The clarification to Andrey's answer is valuable in interpreting your question; you might want to move it here. – MCW Aug 29 '14 at 11:18
  • 1
    This is a very basic question. But also an important one. Many mistakes with incorrectly used cryptography are due to people not having asked this particular question. – kasperd Aug 30 '14 at 12:32
  • Because you encrypted it with his public key, and anyone can do that, so it doesn't prove you're the message sender. –  Aug 31 '14 at 15:48
  • 1
    What research have you done before asking? This seems to be covered by the 2nd answer to http://security.stackexchange.com/q/2202/971, and by http://security.stackexchange.com/q/23565/971. – D.W. Aug 31 '14 at 21:39
  • No, beeing able to decrypt it is no gurantee for beeing authentic. Trivial example, if you have a message 0 or 1 (yes or no) and you sent it, somebody can flip the bits in the message without beeing able to decrypt or encrypt it and still reverted the meaning of your message. Thats why my AE answer below is relevant. – eckes Aug 31 '14 at 23:37
  • BTW, the topic of authenticated encryption (AE) is a quite hot topic, because it was neglected in the past by many implementations. It is especially of a problem, if the encrypted data actually is processed (allowing an attacker to take advantage of bugs in the processor like memory overflow in decompression or executing unwanted commands). – eckes Aug 31 '14 at 01:17

4 Answers4

35

Encryption provides confidentiality, i.e. ensures that only intended recipient will be able to decrypt the message.

Signing provides authentication, i.e. allows recipient to check that message was sent by a particular sender and wasn't modified.

One way to look at this in the context of PKI is like this: encryption only requires the knowledge of recipient's public key, so anyone can encrypt a message. Signing, on the other hand, requires knowledge of sender's private key, so only the sender can sign the message. As you can see, pure public-key encryption doesn't provide integrity nor authentication.

Andrey
  • 2,236
  • 17
  • 14
  • That is not exactly the question I have. What if I use my private key to **encrypt** my message. Then anyone can **decrypt** this message with my public key so it is not private, but all who do, know it is from me because it was **decrypted** by my public key. Also all know it wasn't tampered with precisely because they could decrypt it – Jaap Aug 29 '14 at 10:42
  • 16
    Such hypothetical "encryption with private key" won't be an encryption – it doesn't provide confidentiality (anyone can decrypt the message). In some cryptosystems (e.g. RSA) signing is done by essentially encrypting with a private key, but this can't and shouldn't be generalised on other cryptosystems. – Andrey Aug 29 '14 at 10:51
  • 5
    That's signing, not encrypting. – Graham Hill Aug 29 '14 at 10:52
  • @Graham ... ah thanks... I get it :-) The only reason for using "Hash then encrypt" is because a hash if fixed length, shorter than message and universal across binary/plain docs – Jaap Aug 29 '14 at 10:55
  • 2
    @Jaap Even the PKCS#1 documents, which define the standard way to perform RSA signing or encryption, don't define it as hash then encrypt. It's hash, pad, modular exponentiation. To avoid confusion, they have even given the modular exponentiation a different name (!) for signing and decryption, even though it is the same operation: "RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the names of their input and output arguments; they are distinguished as they are intended for different purposes" from [the RFC](http://tools.ietf.org/html/rfc3447#section-5.2) – Maarten Bodewes Aug 29 '14 at 12:52
  • @Jaap you got it wrong - **decryption** can only be done with a **private**-key, **encryption** on the other hand only with a **public**-key – specializt Aug 29 '14 at 12:56
  • @Jaap And that's just RSA, for which modular exponentiation is used for both encryption and decryption. It will fail miserably for e.g. Elliptic Curves. – Maarten Bodewes Aug 29 '14 at 12:57
  • @specializt: Internet disagrees: http://crypto.stackexchange.com/questions/2123/rsa-encryption-with-private-key-and-decryption-with-a-public-key – Mooing Duck Aug 29 '14 at 21:17
  • @MooingDuck Wikipedia disagrees on your disagreement :http://upload.wikimedia.org/wikipedia/commons/thumb/f/f9/Public_key_encryption.svg/525px-Public_key_encryption.svg.png Im gonnna trust my own knowledge and wikipedia instead of StackExchange and whatnot, StackExchange in general has about 50% trolls ;) – specializt Aug 30 '14 at 01:23
  • @specializt: wikipedia disagrees with your disagreement of my disagreement of your disagreement: http://en.m.wikipedia.org/wiki/RSA_(cryptosystem) (read section labeled signing messages). Your image shows how normal encryption works, but doesnt say that other things are impossible. – Mooing Duck Aug 30 '14 at 11:06
  • this topic is ALL ABOUT "normal encryption". You clearly missed it. – specializt Aug 30 '14 at 12:13
  • 1
    @MooingDuck even equating internet to SE, in crypto 2123 the *question* has it wrong (as questions often do, that's why they're asked) but two answers (one community and one detailed) say clearly it's wrong and even the accepted answer waffles. And crypto 2123 (merged 4041) and 4020 and 3179 all agree, with varying detail, that it's wrong and even dangerous to say signature is "encrypt with privatekey" even for RSA, not to mention impossible for other signatures. – dave_thompson_085 Aug 31 '14 at 08:06
10

Encryption with someones public key provides confidentiality, but doesn't provide authentication or integrity.

In a PKI architecture, you encrypt your message with the public key of the recipient. This proves only that you know their public key, but nothing about yourself. When their public key is indeed public, you could be anyone, including an attacker who intercepted the message (although unable to read it) and replaced it with another message encrypted with the same public key.

But by adding a signature with your own private key (which can then be verified with your public key), you prove your own identity which makes tampering with the message impossible.

Note that this only applies when the public key of the recipient is actually public. When the "public" key is a secret shared only between you and the recipient, a signature becomes indeed redundant.

Philipp
  • 49,017
  • 8
  • 127
  • 158
7

If I left a locked box on your porch in the middle of the night and chained it to your door and dropped a key in the mail slot, it would be secure. Nobody else would be able to get in to it and only you would be able to open it, but you would have no way to know who left it for you. It could have been left by the Publisher's Clearing House prize guy or a terrorist, you simply don't know. Encryption does this, it prevents anyone else from accessing your message, but you have no way to know who it was.

If the Publisher's Clearing House guy instead left the check, signed and sitting in front of your door. You would know that it was from them because they signed it and the check was valid, but anyone could come along and take it because it isn't protected. This is what signing does. It proves that a message came from a particular person, but provides no protection for the contents of the message.

What you really want is a signed package sitting on the door. That way nobody else can tell what it is, but you can verify who it was from and that it hasn't been tampered with.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
3

The way I look at it is that if I have an encrypted message which is a series of bytes I can decrypt this with your public key. However any series of bytes is "valid" as a result of your encryption. This means that if somebody modifies the message then I can still decrypt it, I just won't get what you originally encrypted. The person who did the tampering probably won't know what effect their tampering had on the message (unless they had the private key) but they can guarantee they will have changed the message. Sometimes (eg if it is just binary data rather than a text message) then you won't know it has been tampered with because you have nothing to compare it to.

What signing can do is guarantee that the message hasn't been tampered with. You take a hash of the original message and then encrypt that with your private key. Now when I decode the message I can hash it and compare it to the hash that you gave me. If they match then I know that a) the content hasn't been tampered with (because the hashes match) and b) that it is from you because the hash was encrypted by your private key.

Chris
  • 132
  • 5