Fwd: crypto flaw in secure mail standards

[David Shaw]

--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 24, 2001 at 09:40:50PM -0400, Anthony E. Greene wrote:
> On Sat, 23 Jun 2001, Ingo Kloecker wrote:
> [excerpt of a paper by Don Davis]
> >Suppose Alice and Bob are business partners, and are setting
> >up a deal together.  Suppose Alice decides to call off the
> >deal, so she sends Bob a secure-mail message: "The deal is off."
> >Then Bob can get even with Alice:
> >
> >  * Bob waits until Alice has a new deal in the works
> >    with Charlle;
> >  * Bob can abuse the secure e-mail protocol to re-encrypt
> >    and resend Alice's message to Charlie;
> >  * When Charlie receives Alice's message, he'll believe
> >    that the mail-security features guarantee that Alice
> >    sent the message to Charlie.
> >  * Charlie abandons his deal with Alice.
>=20
> Wrong.
>=20
> Charlie sees that the message was not signed by Alice and contacts her to
> verify the status of their deal. Unsigned messages are worthless in this
> context, encrypted or not.
>=20
> When verifying authorship, the presence or absence of a valid signature is
> relevant, the presence or absence of encryption is not.

Mr. Davis's paper points out that OpenPGP (and hence GnuPG) signs and
encrypts documents by essentially clearsigning the document, then
wrapping the clearsigned document in a layer of encryption.

It is thus possible for Alice to send a signed and encrypted mail to
Bob, Bob decrypts it, recovering the clearsigned message, and then
re-encrypts it to Charlie.  Charlie will receive the original document
with Alice's signature intact.

It is an interesting attack, but it is really more of a social attack
than a crypto attack.  The exploitability of this relies on Alice
writing "The deal is off" rather than "Hey Bob, the deal is off".
Hopefully Charlie would also notice the timestamp on the signature is
old. :)

The suggested fix to make the inner signature somehow tied to the
outer encryption layer would indeed fix the problem, but it does
create other interesting issues.  As things stand now, a signed
document does not have any notion of who it was signed for.  The
suggested fix would change that so a document would essentially be
signed "for" somebody.  Presumably implementations would keep the
ability to sign without tying it to a particular destination key for
those cases where signing a document for a particular receipent is not
appropriate.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBOzamR4ccwqs8s7QVAQFaTwf+K7fyUzwNTzb+RWOQpNft9D/xuC8QYlCi
u6MYB/jeH5XixO8eGyMJL9shGymxmaDZPpRiPa485vIG0E7r5YASjVuT/vu869rg
0lSHrgU9pFT5zS2OLqmwuGvLVUEeEeT4Z/r2MuqoUZpxstqLh9PEe2Z+xvJz8KLV
VhVEpKyTSM3l+qiFdivZX0wTaoXdqsexeUvyFu7DW1cpm5egf/rOwucfcNPq312s
QuX0EAhkuPusH7lmxvVScyTQcP9u0hw2KAjMF1k1lA+va/Vwane3yirfv3t8LMq0
UcybhCi91STxs30LzA7qDEk8qOvuwBBghC/45nivucZpYTYJ0xAp+Q==
=75mN
-----END PGP SIGNATURE-----

--OgqxwSJOaUobr8KG--