Fwd: crypto flaw in secure mail standards

Anthony E. Greene agreene@pobox.com
Mon Jun 25 03:42:01 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 23 Jun 2001, Ingo Kloecker wrote:
[excerpt of a paper by Don Davis]

>Suppose Alice and Bob are business partners, and are setting
>up a deal together. Suppose Alice decides to call off the
>deal, so she sends Bob a secure-mail message: "The deal is off."
>Then Bob can get even with Alice:
>
> * Bob waits until Alice has a new deal in the works
> with Charlle;
> * Bob can abuse the secure e-mail protocol to re-encrypt
> and resend Alice's message to Charlie;
> * When Charlie receives Alice's message, he'll believe
> that the mail-security features guarantee that Alice
> sent the message to Charlie.
> * Charlie abandons his deal with Alice.
Wrong. Charlie sees that the message was not signed by Alice and contacts her to verify the status of their deal. Unsigned messages are worthless in this context, encrypted or not. When verifying authorship, the presence or absence of a valid signature is relevant, the presence or absence of encryption is not. Perhaps a different example would make it clear. Suppose banks had the means to routinely and positively verify the signatures on checks, and that they in fact routinely did so. If I sent you an unsigned check, do you think the bank would just assume I wrote it and cash it for you without my signature? Given that the bank could readily identify forgeries, it would also be pointless for you to sign my name (in fact, since forgery is a crime, it would be counterproductive for you to sign my name). Therefore an unsigned check would be worthless to you. It would not matter whether you received the check in an envelope (encrypted) or attached to a postcard. When determining authorship, only signatures matter, not encryption.
>Suppose instead that Alice & Bob are coworkers. Alice uses
>secure e-mail to send Bob her sensitive company-internal
>sales plan. Bob decides to get his rival Alice fired:
>
> * Bob abuses the secure e-mail protocol to re-encrypt and
> resend Alice's sales-plan, with her digital signature,
> to a rival company's salesman Charlie.
> * Charlie brags openly about getting the sales plan from
> Alice. When he's accused in court of stealing the plan,
> Charlie presents Alice's secure e-mail as evidence of
> his innocence.
The headers aren't signed, so possessing the body of the message proves nothing. Charlie may as well present a paper letter and envelope that has Alice's return address typed on it. Anyone could have sent it. For example, I could acquire a paper document and mail it to myself with the author's return address on the envelope. According to Mr. Davis' premise, the return address would "prove" that the author sent me the document. Supposedly that would represent a flaw in the use of pen and ink signatures, when it's actually a flaw in the thinking of whoever believes return addresses on envelopes constitute proof of sender. That's why analogous court cases usually revolve around issues of fingerprints, signatures, access to the stationery, and other physical links between the document and the purported sender. No one with any knowledge of postal systems would assume proof of sender based on the return address typed on the envelope, which could in fact be omitted. Would an ommitted return address mean the letter sent itself? Granted, email headers cannot be ommitted, but they're so easy to forge that it would be laughable if it weren't for the number of spammers who forge headers. Email headers are worthless, and the fact that they can be forged has no bearing on the worth of public key digital signature systems. Either the posted summary leaves out some important details, or this paper is seriously flawed. Tony - -- Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 MSN: te_greene Linux. The choice of a GNU Generation. <http://www.linux.org/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Anthony E. Greene <agreene@pobox.com> 0x6C94329D iD8DBQE7NpVQpCpg3WyUI50RAoi3AJ0YCELU9zZngsZGMCIjOQG92tzHzACdGWd0 OvB8IiPvfhf7oi1BSxPABLA= =RNW0 -----END PGP SIGNATURE-----