This doesn't help. Any recipient could re-encrypt the message and
change the list of encrypted recipients.
-derek
disastry(_at_)saiknes(_dot_)lv writes:
disastry wrote:
fake pubkey encryption packets can be added
by man in the middle so that recipient thinks that message was encrypted
to him and to other preson.
I wrote about it here:
http://lists.gnupg.org/pipermail/gnupg-devel/2001-August/006285.html
I think this can be solved by modifying
Sym. Encrypted Integrity Protected Data Packet (Tag 18).
Now it is:
version byte == 1
encrypted data
encrypted data consists of:
encrypted iv
encrypted plaintext
encrypted Modification Detection Code Packet (Tag 19)
I suggest:
version byte == 2
encrypted data
encrypted data consists of:
encrypted iv
encrypted Recipients packet (Tag 20)
(put it before plaintext - if it would be after it would
be difficult to find where plaintext ends, when decrypting)
encrypted plaintext
encrypted Modification Detection Code Packet (Tag 19)
Recipients packet
version byte == 1
number of recipients, 2 bytes (should be enough..)
number_of_recipients*20 byte list of fingerprints recipient keys
(16 byte RSA v3 key fingerprints are appended with 4 zeros
(or maybe with 4 lowest keyid bytes? I think, it's even better))
this ensures that recipient list is intact not only for signed & encrypted
messages
but also for encrypted only messages.
__
Disastry http://disastry.dhs.org/
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available