resend: crypto flaw in secure mail standards
Don Davis
dtd@world.std.com
Mon Jun 25 04:44:12 2001
i've corrected the obvious typo: it's bob who re-encrypts
the signed message, not charlie. sorry; getting kind of
bleary.
- don davis
On Sat, 23 Jun 2001, Ingo Kloecker wrote:
[excerpt of a paper by Don Davis]
>> Suppose Alice and Bob are business partners, and are setting
>> up a deal together. Suppose Alice decides to call off the
>> deal, so she sends Bob a secure-mail message: "The deal is off."
>> Then Bob can get even with Alice:
>>
>> * Bob waits until Alice has a new deal in the works
>> with Charlle;
>> * Bob can abuse the secure e-mail protocol to re-encrypt
>> and resend Alice's message to Charlie;
>> * When Charlie receives Alice's message, he'll believe
>> that the mail-security features guarantee that Alice
>> sent the message to Charlie.
>> * Charlie abandons his deal with Alice.
> Wrong.
> Charlie sees that the message was not signed by Alice and
> contacts her to verify the status of their deal. Unsigned
> messages are worthless in this context, encrypted or not.
> Either the posted summary leaves out some important details,
> or this paper is seriously flawed.
mr. greene --
the point is that bob decrypts alice's _signed_ message,
then re-encrypts it, without removing the signature. i'm
sorry my summary was unclear about this point. i wrote the
summary to serve as a press-release, more-or-less, and as a
teaser to get people to read the paper.
please do read the paper. the links are live now:
- don davis, boston
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
-