Fwd: crypto flaw in secure mail standards

Don Davis dtd@world.std.com
Mon Jun 25 04:44:01 2001


On Sat, 23 Jun 2001, Ingo Kloecker wrote:
[excerpt of a paper by Don Davis]

>> Suppose Alice and Bob are business partners, and are setting
>> up a deal together. Suppose Alice decides to call off the
>> deal, so she sends Bob a secure-mail message: "The deal is off."
>> Then Bob can get even with Alice:
>>
>> * Bob waits until Alice has a new deal in the works
>> with Charlle;
>> * Bob can abuse the secure e-mail protocol to re-encrypt
>> and resend Alice's message to Charlie;
>> * When Charlie receives Alice's message, he'll believe
>> that the mail-security features guarantee that Alice
>> sent the message to Charlie.
>> * Charlie abandons his deal with Alice.

> Wrong.
> Charlie sees that the message was not signed by Alice and
> contacts her to verify the status of their deal. Unsigned
> messages are worthless in this context, encrypted or not.
> Either the posted summary leaves out some important details,
> or this paper is seriously flawed.
mr. greene -- the point is that charlie decrypts alice's _signed_ message, then re-encrypts it, without removing the signature. i'm sorry my summary was unclear about this point. i wrote the summary to serve as a press-release, more-or-less, and as a teaser to get people to read the paper. please do read the paper. the links are live now: - don davis, boston http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html -