Standard weakness: surreptitious forwarding
David Picón Álvarez
eleuteri@myrealbox.com
Thu Jun 6 20:52:02 2002
--3331z1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hello,
I've read the paper and unless I'm mistaken, what you write here is not
correct, and if it were it would be much more serious.
> 1. surreptitious forwarding means:
> a recipient B may change a received message from sender A so that he can
> forward it to another recipient C leting C suppose he is the intended
> recipient.
Insofar as I know: a recipient B may only encrypt a message signed by A and
then send it to C in order to make C believe that the Message came from A to
C, but can't change content which is protected by digital signature.
> 2. Short explanation for the weakness of sign than encrypt:
> 1st think of sign as the signing of a letter/paper written with a pen.
Actually, signing is more like the seal in a packet, if you accept my
metaphore. If something is signed, any change of it's interior will be
noticed. The packet is transparent, but messing about with content is
impossible.
> The encrypting is the same as putting the letter in an envelope. B may
> change the envelope a send/forward the letter to C confuseing him/her.
That, which is true in theory, has little chances of being so in practice.
Most messages contain clear indications of their intended recipient, just
due to the way they're written, the context, quoting an earlier message,
etc.
> 3. Short explanation for the weakness of encrypt than sign:
> B receives a letter with a signed envelope. He opens the envelope and
> puts another letter in it with a different message.
That's not correct. B cannot under any circumstances change the message
because the message is signed. Of course, B may write a message of its own,
but not with A's signature on it. Unless I'm mistaken.
--David.
--3331z1fZ.5XiMkIG0nnxfhpcRy8C.PaU
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.
iQQXAwUAPQAggoVy4iYQ9LKqFAIEig/+KSUq4HX9ClrdkcibPRpoTsnx592FFDxN
a1queb/3ejrlRNwqyCPw2V2B54tTEJLYRraBZpaHb7/UyU2OOuw4yWZbP5NvHUHH
DAmOfa5sjdEa04LOd5CfMeu82dXFGsPdxFACGn1oovMyxhPO7SF7FdacO9J3Z3+9
aZJPEppN2Yebeq/KTCVnYIA9O9n4XZ2Hz7IrwskAmY8wbAm19ypEVVfLGniyMjek
KlBIMxxu0jPVFlyZhwn0aqD2VYxp12vbOIvlzpfRy+yV29F2Exyjg3ZkdA+6E3ux
t68lJtPN2op10dHbMuALj50M9nomFCemKr3wm3W3t9uylWOmKrkAHAMgQ1R8esID
M4drruxkde9kWVOjS0AbA7aa/IYmUV/anFLkl+fxNTZeGODrhRlQMAQkLXaglDud
d63UKTJ9O6C3I8A0yHmfFYKG+y+ddk71PpztlF/8hS/pWCVD7Xu2b5V/zV1/Ad7/
Q4e53Vu/d6Iv8jejihgOiMzCjXFEnJe5xjBAhMaZ6xRNiBVRl+FK01LAgaHGRpMo
lJ1iinynDw71HvMlDgZmQ7kEWDCFW3DMltgr361UlkbFQbHAMjqQIHQR+LJaQqxU
eRnHzb9MmnWM2bQ/ROG/IMUrniSc/srAwnP2qWZ5j/IKU4KVCjz8Ty7KdOpElcqO
ixSZqOXLb9sQAK9XBPpiRGSJOuym4wKedXWWLrwwSS7UUNmgBe6oIk+wj+GCMyFZ
WTuXlwWAfuVr93GEHoj4soEF6cBzfi4kntT+u/521KElgrz1RNK+s1XgabGZuR3b
DDXulZBWlh6RJwr1afllzFghUnPTpok7oZFNhtSPPqBNbRVhsN4zHSnJK7X5QLpp
auuzMnEzXqnVRQIXdNvYPI/oDlVHN9+moyZBERXisrH3RmmJYW5g+5/BA2FJAcWl
tU2KHMPFfCmZp4k/MBQC/EX4J8blpHtz3up3Uxoex1vp7fI1Hu4u00nhjUaQTYf+
/qgIouqSyCscGD4XiE3kG2Gg8mNHFr35F7LC9VSdUX0hJmrWN/iE25+dPcHPGP0e
Xmauc8Mx8FPQBk64KKNrSOxUW2+npJ4bHkBSEUC70k6pcyukXY4WVoURML8IAWbm
DZUq6+5n4CJfMAGeIZuikGzt/Ri6VgqQIpYIJDqyH2vQYn+ZYSMPT0EYWa380pfe
r9TebC3R8DUENcqf//D1rwOPAOKsmjHJXzWF5OsFeMJ6sWzgr14VDSf92G9LITXY
SC7kl5jNBQeRqn1NgtoAZQeLkz10WNZfAH9sXkvPWTWfepY4OrU2eAtf6iWDrZxd
HKU3Z/jLlT5CfFtVrfn6+0nhUOVWskhG/CYMlWSktBW9j96aJDnojnB+
=c/TS
-----END PGP SIGNATURE-----
--3331z1fZ.5XiMkIG0nnxfhpcRy8C.PaU--