On 5/21/2002 8:36 AM, "vedaal" <vedaal(_at_)hotmail(_dot_)com> wrote:
Also, could the MDC be utilized to prevent such substitutions, by detecting
alterations of any of the packets?
No. The MDC protects the contents of the symmetric encryption. It does not
protect the ESKs. Nothing protects them, beyond their own encryption.
It would be possible, for example, to make an SMTP server that took a PGP
message with several ESKs in one message, and explode that into N messages,
each with only one ESK. If such a thing existed, the receiver could not
detect it.
As Derek mentioned, you could even put in utterly bogus MDCs. These could
never be detected as bogus unless you happened to have the key that opened
it.
There are a number of interesting "harrassment attacks" that you can do. For
example, let's suppose I run a server that's an intermediate between Alice
and Bob. I intercept a message Alice's message, and then add in an ESK
that's encrypted to the Lotus Notes/NSA key that Adam Back created into a
PGP key. This is utterly bogus -- I just made up some 128 bit number and
encrypted it to that key. But I insert it in the message and send it on to
Bob. If Bob concludes that Alice is CCing the NSA on messages, then that's a
not unreasonable conclusion to draw. I can just sit back and snicker.
It's important to understand what's in the envelope and what is not in the
envelope. The ESK is like the address on an envelope. It's not in the
envelope. It's outside the envelope and is not protected.
Jon