Recipient inconstistence: flaw in OpenPGP

Disastry@saiknes.lv Disastry@saiknes.lv
Fri Aug 17 09:06:01 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Tue Aug 14 11:08:02 2001 Werner Koch wrote:

> > What about encrypting to the recipients present but reporting the
> > missing key in the status output?
>
> That is how it should work (modulo status output) but I am not anymore
> sure whether this is a good idea: If you want to send to Alice and
> Bob but due to a missing key you did not encrypt it for Bob, you will
> later have to resend the message to bob. After receiving the first
> message, Alice must assume the message was only intended for her and
> act accordingly
> --
> Werner Koch
there is no way for recipient to be sure that the same message was sent/encrypted to other recipients or not anyway. PKE packets can be removed from encrypted message and new (fake) ones can be added by MITM (Man In The Middle). for example, you send message to Alice, this message is intercepted and MITM adds fake PKE packet with Bobs key-id (of course this will not allow Bob to decrypt the message), now when Alice receives message it looks like it was encrypted to her and to Bob! Alice writes replay to message, quotes a lot of your message (or whole message), and encrypts and sends it back to you and Bob, but you did not wanted Bob to see this message. I think this in flaw in OpenPGP. I could be solved by adding some special Recipients packet into encrypted message part. == <EOF> == Disastry http://i.am/disastry/ http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon ^--GPG for Win32 (supports loadable modules and IDEA) ^---PGP 2.6.3ia-multi04 (supports IDEA, CAST5, BLOWFISH, TWOFISH, AES, 3DES ciphers and MD5, SHA1, RIPEMD160 hashes) -----BEGIN PGP SIGNATURE----- Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1 iQA/AwUBO3yjlTBaTVEuJQxkEQMObgCfekkjQROK541016oaT20Zt4CLcKcAn1c3 GHAaSExlIaFDSk7Qdc0deMs4 =SdQL -----END PGP SIGNATURE-----