Fwd: crypto flaw in secure mail standards
Mon Jun 25 04:50:01 2001
Content-Type: text/plain; charset=us-ascii
On Sun, Jun 24, 2001 at 09:40:50PM -0400, Anthony E. Greene wrote:
> On Sat, 23 Jun 2001, Ingo Kloecker wrote:
> [excerpt of a paper by Don Davis]
> >Suppose Alice and Bob are business partners, and are setting
> >up a deal together. Suppose Alice decides to call off the
> >deal, so she sends Bob a secure-mail message: "The deal is off."
> >Then Bob can get even with Alice:
> > * Bob waits until Alice has a new deal in the works
> > with Charlle;
> > * Bob can abuse the secure e-mail protocol to re-encrypt
> > and resend Alice's message to Charlie;
> > * When Charlie receives Alice's message, he'll believe
> > that the mail-security features guarantee that Alice
> > sent the message to Charlie.
> > * Charlie abandons his deal with Alice.
> Charlie sees that the message was not signed by Alice and contacts her to
> verify the status of their deal. Unsigned messages are worthless in this
> context, encrypted or not.
> When verifying authorship, the presence or absence of a valid signature is
> relevant, the presence or absence of encryption is not.
Mr. Davis's paper points out that OpenPGP (and hence GnuPG) signs and
encrypts documents by essentially clearsigning the document, then
wrapping the clearsigned document in a layer of encryption.
It is thus possible for Alice to send a signed and encrypted mail to
Bob, Bob decrypts it, recovering the clearsigned message, and then
re-encrypts it to Charlie. Charlie will receive the original document
with Alice's signature intact.
It is an interesting attack, but it is really more of a social attack
than a crypto attack. The exploitability of this relies on Alice
writing "The deal is off" rather than "Hey Bob, the deal is off".
Hopefully Charlie would also notice the timestamp on the signature is
The suggested fix to make the inner signature somehow tied to the
outer encryption layer would indeed fix the problem, but it does
create other interesting issues. As things stand now, a signed
document does not have any notion of who it was signed for. The
suggested fix would change that so a document would essentially be
signed "for" somebody. Presumably implementations would keep the
ability to sign without tying it to a particular destination key for
those cases where signing a document for a particular receipent is not
David Shaw | email@example.com | WWW http://www.jabberwocky.com/
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----