Fwd: crypto flaw in secure mail standards

Werner Koch wk@gnupg.org
Sat Jun 23 16:52:01 2001


 || On Sat, 23 Jun 2001 15:15:08 +0200
 || Ingo Klöcker <ingo.kloecker@epost.de> wrote: 

 ik> The following message was forwarded to the KMail mailing list. Now I 
 ik> wonder if the second scenario is possible with PGP/GnuPG, i.e. is it 
 ik> possible to extract the clear signed message(+signature packet) from an 
 ik> encrypted&signed message and then re-encrypt the clear signed message 

Yes, but it does not matter.

According to the abstract the paper has a serious flaw.  It assumes
that signing end encryption addresses one problem.  But it does not.
Signing and encryption are 2 entirely different things. 

David Howe already wrote on Bugtraq that this attack is very similar
to the physical world with a signature on a letter and an enevelope.
It is pretty easy to put a received signed letter into another
envelope and send it forward.  However, only a jerk would rely on a
contract with insufficient information, i.e. a letter which has just
the words "canceled" without naming the subject and the recipient.

The second example is very simliar - encryption alone does not provide
confidentiality.  You must trust the recipient of a confidential
information to keep it confidential; this is hard if you have no
pre-established trust in the recipient.  Deploying encryption in an
organization can't be done by just using encryption sotware; you have
to reorganize a couple of other things.

ciao,

  Werner

-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus