ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Two Identified Internet Mail Vulnerabilities

2005-02-02 17:13:10
from [Jim Fenton] [Permanent Link] 

Thomas,

Thanks for your report.  Comments inline.

Thomas Roessler wrote:


There seem to be two security-relevant vulnerabilities in
draft-fenton-identified-mail-01.txt.

1. MIME.  When a site sends e-mail with the body length count
different from -1, then an attacker can change the message's
"Content-Type" header to "multipart/mixed" with a boundary parameter
that occurs nowhere in the message's body.  The attacker can then
proceed to append a valid MIME multipart body to the message without
invalidating the IIM signature. According to section 5.5.1, of RFC
2046, receiving agents will have to ignore the original signed
message's content, and display only the material appended by the
attacker.

One cure to this attack would consist in using multipart/signed
messages, as PGP/MIME and S/MIME do.
That's very interesting; this is the first I have heard of this vulnerability.
It occurs to me that requiring the signing of the Content-Type header would address this problem. Do you think so? 


2. Fingerprints.  The key fingerprint used by IIM seems to be based
on concatenating the public exponent's and modulus' bit strings,
without any indication where one begins and the other ends.  Hence,
it is possible for an attacker to shift the limit between the two.
The attacker then obtains a number of candidate (exponent, modulus)
pairs that will lead to the same fingerprint; notably, the modulus
in these candidate pairs can be choosen much shorter than the
original one.  The attacker can then search fora  modulus that has
two divisors, and generate the corresponding private exponent.  This
attack was described at [1], as an attack on the PGP 2 public key
fingerprint design.

To fix this attack, it would be useful to use a fingerprint format
that makes sure that no bits can be shifted between the public
exponent and the RSA modulus.

1. http://cypherpunks.venona.com/date/1997/06/msg00523.html
This one has been reported before but we haven't updated the published spec yet because we are hoping that we can go in the direction of a merger between IIM and DomainKeys instead. The latest IIM implementation on SourceForge (http://sourceforge.net/projects/identifiedmail/) has this fixed; what we had to do was incompatibly change the fingerprint calculation by adding the length of the modulus and exponent. 

Thanks again.  We'll definitely give the MIME vulnerability more thought.

-Jim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using DK/IIM [was: Re: So here it is one year later...], Jim Fenton
Next by Date:  Authorization service discovery, william(at)elan.net
Previous by Thread:  Re: Using DK/IIM [was: Re: So here it is one year later...], Jim Fenton
Next by Thread:  Re: Two Identified Internet Mail Vulnerabilities, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]