resend: crypto flaw in secure mail standards

Mon Jun 25 04:44:12 2001

i've corrected the obvious typo:  it's bob who re-encrypts
the signed message, not charlie.  sorry;  getting kind of
bleary.
				- don davis

On Sat, 23 Jun 2001, Ingo Kloecker wrote:
[excerpt of a paper by Don Davis]

>> Suppose Alice and Bob are business partners, and are setting

>> up a deal together.  Suppose Alice decides to call off the

>> deal, so she sends Bob a secure-mail message: "The deal is off."

>> Then Bob can get even with Alice:

>>

>>  * Bob waits until Alice has a new deal in the works

>>    with Charlle;

>>  * Bob can abuse the secure e-mail protocol to re-encrypt

>>    and resend Alice's message to Charlie;

>>  * When Charlie receives Alice's message, he'll believe

>>    that the mail-security features guarantee that Alice

>>    sent the message to Charlie.

>>  * Charlie abandons his deal with Alice.

> Wrong.

> Charlie sees that the message was not signed by Alice and

> contacts her to verify the status of their deal. Unsigned

> messages are worthless in this context, encrypted or not.

> Either the posted summary leaves out some important details,

> or this paper is seriously flawed.

mr. greene --

the point is that bob decrypts alice's _signed_ message,
then re-encrypts it, without removing the signature.  i'm
sorry my summary was unclear about this point.  i wrote the
summary to serve as a press-release, more-or-less, and as a
teaser to get people to read the paper.

please do read the paper.  the links are live now:

				- don davis, boston

http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html

-