Signature verification problem

David Shaw
Wed Jul 31 20:18:02 2002

On Wed, Jul 31, 2002 at 04:15:43PM +0200, Konrad Podloucky wrote:

> I'm just in the process of evaluating some OpenPGP solutions for the
> company I work for, and I stumbled onto this problem:
> I used CryptoEx' Outlook plugin to cleartext-sign a mail, which I tried to
> verify with gpg.
> gpg gives me a BAD signature (both 1.0.6 and 1.0.7). However CryptoEx'
> plugin verifies the signature as being good (OK, otherwise it would be
> pretty embarrassing) and NAI's PGP (7.0.3) also says that the signature is
> ok.
> I've attached the relevant message and the public part of the key used to
> sign the message. Unfortunately I don't have enough knowledge about the
> OpenPGP standard or the implementations to give this problem a better look.
> Would be great if somebody could shed some light on this issue.

CryptoEx is not generating proper messages.  Specifically, it is
missing the "Hash:" header to indicate the hash used in the document.

RFC-2440 says "If the "Hash" armor header is given, the specified
message digest algorithm is used for the signature. If there are no
such headers, MD5 is used, an implementation MAY omit them for V2.x

This message uses SHA1 as the hash, but by omitting the "Hash: SHA1"
header, it is claiming to use the MD5 hash.

Note that if you change your message to stick in the missing header,
it verifies correctly:

Hash: SHA1

This is a signature test.

Version: CryptoEx OpenPGP Engine Version 2.1
Comment: CryptoEx Client Suite -


I imagine it works on PGP because of "be conservative in what you
generate and liberal in what you accept" and so PGP double-checks the
claimed hash against the actual signature data in some manner.

It could be (and should be) argued that GnuPG should do the same here,
but nevertheless this is a bug in CryptoEx.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson