Fwd: crypto flaw in secure mail standards
Mon Jun 25 06:22:01 2001
Content-Type: text/plain; charset=us-ascii
On Sun, Jun 24, 2001 at 11:58:35PM -0400, Anthony E. Greene wrote:
> On Sun, 24 Jun 2001, David Shaw wrote:
> >Mr. Davis's paper points out that OpenPGP (and hence GnuPG) signs and
> >encrypts documents by essentially clearsigning the document, then
> >wrapping the clearsigned document in a layer of encryption.
> >It is thus possible for Alice to send a signed and encrypted mail to
> >Bob, Bob decrypts it, recovering the clearsigned message, and then
> >re-encrypts it to Charlie. Charlie will receive the original document
> >with Alice's signature intact.
> The encryption in this example is beside the point and in fact is a
> distraction to the primary argument; that signed data can be taken out of
> context, given sufficiently vague data and a forgeable delivery mechanism.
I think the point of the encryption in the example was to show how a
user could be confused.
Everyone understands what a (clear)signed document is and that it can
be forwarded by the recipient to someone else without harming the
signature. The idea behind a sign-and-encrypt is that it goes *to
someone*. The user's assumption may well be that since the document
can only be read by the recipient, then the signed data can only be
used by them as well.
Obviously this is completely incorrect, but I can see how a user could
think that way.
Somebody on another list pointed out that this situation was exactly
like the real-world analog of a signed document in an envelope. If
you sign something and put it in an envelope, nothing stops the
recipient from opening the envelope and re-sending the signed contents
to someone else.
> >It is an interesting attack, but it is really more of a social attack
> >than a crypto attack.
David Shaw | firstname.lastname@example.org | WWW http://www.jabberwocky.com/
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----