[21160] in bugtraq
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (David Howe)
Fri Jun 22 22:28:08 2001
Message-ID: <00b201c0fb47$1ff566c0$c71121c2@sharpuk.co.uk>
Reply-To: "David Howe" <DaveHowe@Bigfoot.com>
From: "David Howe" <DaveHowe@Bigfoot.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 22 Jun 2001 19:12:25 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> * Bob can abuse the secure e-mail protocol to re-encrypt
> and resend Alice's message to Charlie;
This is abuse of the order in which signing and encryption take place - ie
encrypt(sign(message))
this implies you can extract sign(message) from the outer envelope, and then
send recrypt(sign(message)) and have it accepted as valid. (which is of
course true)
however, I fail to see how this would differ from a physical envelope and a
signed note - if alice had written
"The deal is off." on a piece of headed paper, and signed it, then sent it
to Bob, he could indeed re-enclose that in another envelope and send it to
charlie. however, just as you would not sign a piece of paper that says
simply "I agree to the contract" you would not logically sign a note
cancelling a deal, unless you include sufficient text to make it
unambigous - a signed note with "Bob, I have thought over the contract for
your services, and decided not to go ahead with it" would be of no value to
Bob for this purpose.
PGP places signature inside encryption for a reason - not only
(deliberately) so you can extract sign(message) with the signature intact,
but to hide the identity of the signer from those who can't decrypt the
outer wrapper.
> * Bob abuses the secure e-mail protocol to re-encrypt and
> resend Alice's sales-plan, with her digital signature,
> to a rival company's salesman Charlie.
In this case, if Alice were to sign this at all, she should sign after
encryption - thus giving sign(encrypt(message)) - given that asymmetric
encryption is to a specified person or persons, recrypt(message) would not
implicate Alice (as the signature has been discarded)
> * Charlie brags openly about getting the sales plan from
> Alice. When he's accused in court of stealing the plan,
> Charlie presents Alice's secure e-mail as evidence of
> his innocence.
The real question here is - how long would it take an Expert Witness (and
*I* would hire one quick enough if this got to court) to duplicate the
message by taking an unencrypted but digitally signed copy of the document
and simply wrapper-encrypting it to Charlie?
> Surprisingly, standards-compliant secure-mail clients will
> not detect these attacks.
That is because it isn't an attack - you are confusing the envelope with the
contents. The reason these "attacks" work is *because* sign is a separate
operation to encrypt - I have signed executables from several software
authors downloaded from the web. if I encrypt those and send them to
someone, I do not somehow create a message from that author to that person -
I am simply forwarding a signed object.
If the security problem is that encrypt(sign(message)) is being interpreted
wrongly as "signer sent this message to encryption target) then you need to
attack that assumption, not the system.
