ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

binding cryptography

1997-10-17 16:52:57
from [Adam Back] [Permanent Link] 

Padgett Peterson <PADGETT(_at_)hobbes(_dot_)orl(_dot_)lmco(_dot_)com> writes:

Adam Back <aba(_at_)dcs(_dot_)ex(_dot_)ac(_dot_)uk> writes:

In addition it is acknowledged that this is a weak enforcement in that
it is relatively easy to create messages which will fool the CMR
enforcement agent, which will still be decryptable by Alice.


That goes without saying: unless the policy server contains the CMR private
key (which will not happen unless someone is completely clueless) it will
be unable to do more than verify that something which appears to be the 
CMR header exists in the file. Such an appendage would be trivial to add.

If the server could do more, THEN I would be concerned.


One way that the server could be modified to do more would be to use
Koops et als Binding Cryptography construct.  (A net search would find
htmlized paper).

It works with El Gamal and allows a fourth party (the SMTP CMR
enforcer in this case) to verify that the same session keys are used
inside the PKE without need for access to the CMR private key.  This
provides the third party with better enforcement.

When Binding Cryptography was discussed first by it's authors on
cypherpunks, Hal Finney came up with several ways to bypass it.

The obvious one (super encrypt), and the suggestion that you could
make the session key itself be a public key encrypted packet, so that
the fourth party would find that the two session keys were correct,
but when the third party tried to decrypt, it would find a key which
didn't work; the true recipient would decrypt the nested public key
and use the session key contained in that.

However this offers significant extra protection against hacking by
the sender because the sender would then require co-operation with the
receiver.

Crude protection against super-encryption could be provided by having
the client refuse to accept plaintext which looked like a pgp message.

Just trying to be helpful in ensuring the enforcement is all it's
cracked up to be.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is PGP still private?, Adam Back
Next by Date:  what is purpose of CMR?, Adam Back
Previous by Thread:  Re: Revealing individual messages., Ian Miller
Next by Thread:  Re: Is PGP still private?, A. Padgett Peterson P.E. Information Security
Indexes:  [Date] [Thread] [Top] [All Lists]