[10890] in bugtraq
PGP Encryption (ASCII RADIX-64) Munging by Microsoft Exchange.
daemon@ATHENA.MIT.EDU (Jay D. Dyson)
Thu Jun 24 12:16:42 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.3.96.990622131324.4770A-100000@techreports.jpl.nasa.gov>
Date: Tue, 22 Jun 1999 13:17:50 -0700
Reply-To: "Jay D. Dyson" <jdyson@TECHREPORTS.JPL.NASA.GOV>
From: "Jay D. Dyson" <jdyson@TECHREPORTS.JPL.NASA.GOV>
To: BUGTRAQ@NETSPACE.ORG
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hi folks,
I've searched high and low for other reports regarding this and
have found none. Thus, I'm filing this risk report.
HISTORY: I've been using PGP v2.x for years in conjunction with
many a mail program: Pine, Eudora, Netscape (v3.x Navigator, not v4.x
Communicator), and Elm. In all that time, I never encountered a problem
with sending or receiving encrypted mail regardless of the Mail Transport
Agent (MTA) to which I've sent or received mail.
Until now.
PROBLEM: After initiating encrypted correspondence, my contact at
Honeywell and I have come to the distinct conclusion that Microsoft
Exchange has a "feature" (*gag*choke*retch*) that tries to interpret PGP
encrypted messages sent in ASCII RADIX-64 format into "human" terms.
Characters were stripped or merged (i.e., AE became "Æ" and so on). As a
consequence, the messages failed their checksums.
IMPACT: Communications are compromised by the Exchange MTA to the
point that messages cannot be decrypted and must be re-sent by other
means, wasting a lot of time and placing time-sensitive data at risk of
becoming useless. Another possible risk would be some users eventually
abandoning use of encryption for sensitive communications and sending data
in the clear. (I didn't resort to that, but I'm stubborn that way.) Even
attempts at using another Microsoft product -- Internet Explorer -- as a
workaround failed miserably. When attempting to send encrypted_file.txt
(using Apache v1.3.6 on the server side), Explorer also tried "interpreting"
the PGP-encyrpted message and stripped out phrases like "=67", so the
final line in the encrypted message ended up being changed from "=67Rg" to
"gRg". Once again, checksum failure.
SOLUTION: My personal feeling is that individuals and agencies
that use PGP or GPG should use any other MTA but Microsoft Exchange. (I'll
spare the gentle reader my views on Microsoft's Internet Explorer for
now.) However, I recognize that some folks are stuck with Microsoft
Exchange and related products as an "institutional solution," (sic) so I
alternatively recommend that said users not send PGP encrypted messages in
ASCII RADIX-64 format to Outlook users, but instead encrypt them as binary
files and send them as attachments. Fortunately, Outlook doesn't seem to
want to "interpret" attached binaries.
CAVEATS: I have not sought confirmation on whether this same sort
of behavior occurs with the PGP v5.x/v6.x plug-in for Exchange from
Network Associates (I somehow doubt it does). While I do use PGP v6.x, I
do so only to communicate via Eudora with technophobes who can't get along
without a GUI. (I do not trust PGP 5.x and higher for Windows as the
SWAP attack alone leaves me cold.) Additionally, I refuse to load and
operate Microsoft Exchange on my Windows machine.
- -Jay
( ______
)) .--- "There's always time for a good cup of coffee" ---. >===<--.
C|~~| (>--- Jay D. Dyson - jdyson@techreports.jpl.nasa.gov ---<) | = |-'
`--' `- Superman had Kryptonite, I have NT. Life is real. -' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN2/vds2OVDpaKXD9AQGnPwP/bzDDcPeaUyC3raq9HQ/3R2kl6hL1L+lP
4k6rs6wYBLS/ku/lD4LbSGZHEoZFlYSu1ZrUhsWe9AFgnYDv6+cadLw2L+y8ztQO
g4N/X5Cv1U7X8fbCqvJ1qTo/I2wL+j6VhDkSb9aFg4tiHi7fLWERrrQ7+2FOSfhA
jEL974kOQGc=
=lcP0
-----END PGP SIGNATURE-----
