Anderson's attack?

Aaron Sherman harmil at
Wed Feb 6 23:47:02 CET 2002

On Wed, 2002-02-06 at 13:10, Ben Pearre wrote:
> I'm sorry if this is in the archives - I looked but didn't find it.
> This seems like a legitimate concern:
> Has this been addressed in GnuPG?  The documentation doesn't mention
> whether gpg --encrypt --sign does Encrypt/Sign or Sign/Encrypt or
> what.  What's really going on in there?


This is a classic example of a social problem being attacked on a
technical level (which is pretty much doomed to failure).

The idea is that T[1]=E(B[pub],S(A[priv],P)) can be transformed into
T[2]=E(C[pub],D(B[priv],T[1])) and the encryption envelope will tell you
nothing to refute the assertion that A told C P.

To which we all respond... duh.

The document goes on to possit that where P is some permutation on
"sender owes recipient US$X", recipient is ambiguous and all values of
T[2,...] yeild an unexpected result for A (i.e. owing money to everyone
on the planet).

When I'm home, I'll look up and cite the page in AC where this is gone
into in some depth, but the core of the argument here is that there is
something wrong with this scenario, and that the encryption envelope
should be responsible for protecting the innocent but stupid. If you
feel this way, feel free to write a mail-encrypting system that
duplicates the message headers and includes them in the signed
plaintext. That will provide no assurance that you did NOT divulge
information of course, but no cryptosystem alone can ever do that
(mathematically speaking nothing can ever do that, but for some
specialized applications, a reasonable subset can be achived).

Ok, back to the topic: this is not gnupg's problem. It should not be
gnupg's problem. This is the plaintext's author's problem, as it should

As for the argument that someone could be fired for leaking company
secrets or end up owing people money because of ambiguous statements I
say foey. Turn that upside down, and I can buy it: the recipient cannot
prove that they were the intended target of the message without some
external data source (subpeonaed mailer logs, etc) and thus cannot rely
on using the signed message as evidence of a contract or disclosure
unless it is internally unambiguous. Yes, this is true. It means that
recipients must require that the body of a signed message must be
internally unambiguous or only rely on external information which is
unambiguous (e.g. "USPS PKI ID xxxx owes USPS PKI ID yyyy the balance of
PayPal account zzzz"; if you trust the USPS PKI and PayPal to maintain
an unambiguos resolution of these values, then this message is

Ok, I'm done ranting. I'll be in my corner ;-)

More information about the Gnupg-devel mailing list