Fwd: crypto flaw in secure mail standards

David Shaw dshaw@jabberwocky.com
Mon Jun 25 04:50:01 2001

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 24, 2001 at 09:40:50PM -0400, Anthony E. Greene wrote:

> On Sat, 23 Jun 2001, Ingo Kloecker wrote:
> [excerpt of a paper by Don Davis]
> >Suppose Alice and Bob are business partners, and are setting
> >up a deal together. Suppose Alice decides to call off the
> >deal, so she sends Bob a secure-mail message: "The deal is off."
> >Then Bob can get even with Alice:
> >
> > * Bob waits until Alice has a new deal in the works
> > with Charlle;
> > * Bob can abuse the secure e-mail protocol to re-encrypt
> > and resend Alice's message to Charlie;
> > * When Charlie receives Alice's message, he'll believe
> > that the mail-security features guarantee that Alice
> > sent the message to Charlie.
> > * Charlie abandons his deal with Alice.
> Wrong.
> Charlie sees that the message was not signed by Alice and contacts her to
> verify the status of their deal. Unsigned messages are worthless in this
> context, encrypted or not.
> When verifying authorship, the presence or absence of a valid signature is
> relevant, the presence or absence of encryption is not.
Mr. Davis's paper points out that OpenPGP (and hence GnuPG) signs and encrypts documents by essentially clearsigning the document, then wrapping the clearsigned document in a layer of encryption. It is thus possible for Alice to send a signed and encrypted mail to Bob, Bob decrypts it, recovering the clearsigned message, and then re-encrypts it to Charlie. Charlie will receive the original document with Alice's signature intact. It is an interesting attack, but it is really more of a social attack than a crypto attack. The exploitability of this relies on Alice writing "The deal is off" rather than "Hey Bob, the deal is off". Hopefully Charlie would also notice the timestamp on the signature is old. :) The suggested fix to make the inner signature somehow tied to the outer encryption layer would indeed fix the problem, but it does create other interesting issues. As things stand now, a signed document does not have any notion of who it was signed for. The suggested fix would change that so a document would essentially be signed "for" somebody. Presumably implementations would keep the ability to sign without tying it to a particular destination key for those cases where signing a document for a particular receipent is not appropriate. David --=20 David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +--------------------------------------------------------------------------= -+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQEVAwUBOzamR4ccwqs8s7QVAQFaTwf+K7fyUzwNTzb+RWOQpNft9D/xuC8QYlCi u6MYB/jeH5XixO8eGyMJL9shGymxmaDZPpRiPa485vIG0E7r5YASjVuT/vu869rg 0lSHrgU9pFT5zS2OLqmwuGvLVUEeEeT4Z/r2MuqoUZpxstqLh9PEe2Z+xvJz8KLV VhVEpKyTSM3l+qiFdivZX0wTaoXdqsexeUvyFu7DW1cpm5egf/rOwucfcNPq312s QuX0EAhkuPusH7lmxvVScyTQcP9u0hw2KAjMF1k1lA+va/Vwane3yirfv3t8LMq0 UcybhCi91STxs30LzA7qDEk8qOvuwBBghC/45nivucZpYTYJ0xAp+Q== =75mN -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--