[Top] [All Lists]

Re: Anybody know details about Schneier's "flaw"?

2002-08-17 05:42:46

Hash: SHA1

At 03:13 AM 8/16/2002 +0100, Adam Back wrote:

Also the attack for those who haven't read the paper is really
low-tech.  They're just observing that if you can ask someone to
decrypt a message you can use that to decrypt related messages.  So
you intentionally garble a message, and hope the user sends you the
garbled plaintext back to you to ask what went wrong.  The rest
falls out of the fact that if you garble a few bits of a ciphertext
most of the plaintext will still be intact.

Y'know, there's an even simpler attack with the same premise.  You
intercept an encrypted e-mail from Alice to Bob.  You take the mail
body out of the message and send that body to Bob under your e-mail
address (or under some address you control that Bob might mistake for
Alice's, which would be even better).  Bob decrypts the message and
replies to it, including the original message body by default.

The mistake here, on Bob's part, is to reply to a message without
paying attention to the e-mail address being used -- rather than
replying to a message with quoted garbage rather than just saying
"that was garbage -- send again".

 - Carl

Version: PGP 6.5.8


|Carl M. Ellison         cme(_at_)acm(_dot_)org |
|    PGP: 75C5 1814 C3E3 AAA7 3F31  47B9 73F1 7E3C 96E7 2B71       |
+---Officer, arrest that man. He's whistling a copyrighted song.---+