Re: secure sign & encrypt


Terje Braaten <Terje(_dot_)Braaten(_at_)concept(_dot_)fr> writes:

Alice makes a love poem, signs & encrypts it and sends it to Bob.
Some months later they have broken up with each other. Bob decides
to be mean to Alice, and encrypts the signed love poem and sends it
to Charlie, faking the From header in the mail so it look likes it is
from Alice. Then Charlie has a message that is encrypted to him and signed
by Alice. It seems to Charlie like it is created by sign & encrypt in
PGP, so he is convinced this must be a message from Alice that she
has encrypted specially for him.


Note that this will already say:

Good signature from Alic.
Signature made <Date three months ago>

Don't you think Charlie would be suspicious about that?  I would
certainly be suspicious if the signature date wasn't pretty close
to the mail date.  And I would also be suspicious if the mail date
wasn't close to "today".

What I would like is any PGP implementation to be able to display a message
like "Good signature from nn. Warning, this message is not made with atomic
sign & encrypt, and may be encrypted by some one else."


You see, I view this just like regular mail.  There is the envelope
information, and there is the "letter".  By _CONVENTION_ the person
writing a letter duplicates the envelope information on the inside.
This is not done automatically by the Postal Service, nor is it done
automatically by the enveloping process.  A user could just as easily
leave that information out of the letter (thereby opening themselves
to this same attack in meatspace).

This is not something that should be solved at the Protocol Layer.
Repeat to yourself: IT IS A FEATURE THAT SIGN AND ENCRYPT ARE
SEPARABLE OPERATIONS.  Once you make that statement, there is no way,
short of layering violations, to do what you want to do except at the
application later duplicating the information.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord(_at_)MIT(_dot_)EDU                        PGP key available

<Prev in Thread]	Current Thread	[Next in Thread>
RE: secure sign & encrypt, (continued) RE: secure sign & encrypt, Terje Braaten RE: secure sign & encrypt, Terje Braaten RE: secure sign & encrypt, Hal Finney RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, Jon Callas RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, Derek Atkins Re: secure sign & encrypt, Peter Gutmann RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, Matthew Byng-Maddick Re: secure sign & encrypt, Derek Atkins <= RE: secure sign & encrypt, Dominikus Scherkl Re: secure sign & encrypt, Derek Atkins RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, Derek Atkins Re: secure sign & encrypt, Matthew Byng-Maddick RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, David P. Kemp RE: secure sign & encrypt, Terje Braaten Re: secure sign & encrypt, Derek Atkins RE: secure sign & encrypt, Terje Braaten