Fwd: crypto flaw in secure mail standards

Anthony E. Greene agreene@pobox.com
Mon Jun 25 03:42:01 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 23 Jun 2001, Ingo Kloecker wrote:
[excerpt of a paper by Don Davis]

>Suppose Alice and Bob are business partners, and are setting

>up a deal together.  Suppose Alice decides to call off the

>deal, so she sends Bob a secure-mail message: "The deal is off."

>Then Bob can get even with Alice:

>

>  * Bob waits until Alice has a new deal in the works

>    with Charlle;

>  * Bob can abuse the secure e-mail protocol to re-encrypt

>    and resend Alice's message to Charlie;

>  * When Charlie receives Alice's message, he'll believe

>    that the mail-security features guarantee that Alice

>    sent the message to Charlie.

>  * Charlie abandons his deal with Alice.


Wrong.

Charlie sees that the message was not signed by Alice and contacts her to
verify the status of their deal. Unsigned messages are worthless in this
context, encrypted or not.

When verifying authorship, the presence or absence of a valid signature is
relevant, the presence or absence of encryption is not.

Perhaps a different example would make it clear. Suppose banks had the
means to routinely and positively verify the signatures on checks, and
that they in fact routinely did so. If I sent you an unsigned check, do
you think the bank would just assume I wrote it and cash it for you
without my signature? Given that the bank could readily identify
forgeries, it would also be pointless for you to sign my name (in fact,
since forgery is a crime, it would be counterproductive for you to sign my
name). Therefore an unsigned check would be worthless to you. It would not
matter whether you received the check in an envelope (encrypted) or
attached to a postcard. When determining authorship, only signatures
matter, not encryption.


>Suppose instead that Alice & Bob are coworkers.  Alice uses

>secure e-mail to send Bob her sensitive company-internal

>sales plan.  Bob decides to get his rival Alice fired:

>

>  * Bob abuses the secure e-mail protocol to re-encrypt and

>    resend Alice's sales-plan, with her digital signature,

>    to a rival company's salesman Charlie.

>  * Charlie brags openly about getting the sales plan from

>    Alice.  When he's accused in court of stealing the plan,

>    Charlie presents Alice's secure e-mail as evidence of

>    his innocence.


The headers aren't signed, so possessing the body of the message proves
nothing.

Charlie may as well present a paper letter and envelope that has Alice's
return address typed on it. Anyone could have sent it.

For example, I could acquire a paper document and mail it to myself with
the author's return address on the envelope. According to Mr. Davis'
premise, the return address would "prove" that the author sent me the
document. Supposedly that would represent a flaw in the use of pen and ink
signatures, when it's actually a flaw in the thinking of whoever believes
return addresses on envelopes constitute proof of sender.

That's why analogous court cases usually revolve around issues of
fingerprints, signatures, access to the stationery, and other physical
links between the document and the purported sender. No one with any
knowledge of postal systems would assume proof of sender based on the
return address typed on the envelope, which could in fact be omitted.
Would an ommitted return address mean the letter sent itself?

Granted, email headers cannot be ommitted, but they're so easy to forge
that it would be laughable if it weren't for the number of spammers who
forge headers. Email headers are worthless, and the fact that they can be
forged has no bearing on the worth of public key digital signature
systems.

Either the posted summary leaves out some important details, or this paper
is seriously flawed.

Tony
- --
Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
Chat:  AOL/Yahoo: TonyG05    MSN: te_greene
Linux. The choice of a GNU Generation. <http://www.linux.org/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Anthony E. Greene <agreene@pobox.com> 0x6C94329D

iD8DBQE7NpVQpCpg3WyUI50RAoi3AJ0YCELU9zZngsZGMCIjOQG92tzHzACdGWd0
OvB8IiPvfhf7oi1BSxPABLA=
=RNW0
-----END PGP SIGNATURE-----