[Top] [All Lists]

Re: Anybody know details about Schneier's "flaw"?

2002-08-19 13:13:54


Dominikus Scherkl wrote:
Carl Ellison <cme(_at_)acm(_dot_)org> wrote:
Y'know, there's an even simpler attack with the same premise.  You
intercept an encrypted e-mail from Alice to Bob.  You take the mail
body out of the message and send that body to Bob under your e-mail
address (or under some address you control that Bob might mistake for
Alice's, which would be even better).  Bob decrypts the message and
replies to it, including the original message body by default.

In that case Bob sees the original message, and at least has the possibility
of noting that it is not consistent with the reply-to address. If he sees
garbage, that could be consistent with any reply-to address, unless Bob
knows about this attack.

This is all part of the same problem that has been pointed out before in
the context of signing: the message content and the headers (including
the reply-to address and hence the public key to be used to encrypt replies),
are not treated as a unit cryptographically.

The mistake here, on Bob's part, is to reply to a message without
paying attention to the e-mail address being used

The Flaw I see (on the whole attack) is:
Why should anybody reply cleartext to an encrypted message?

The attack does not depend on the victim replying in cleartext.
If the message is encrypted, it would be encrypted to the attacker's key.

Peter Gutmann wrote:
On the grand scale of things, it has curiosity value, but not much more.  
are a pile of other attacks which fall into the same class, e.g. concern over
the Bleichenbacher attack on SSL being used against S/MIME email (come to 
of it, that one never came up on open-pgp).  My thoughts on this at the time,
which also apply to this attack, were:

-- Snip --

  [...] this attack requires that an attacker send you around a million pieces
  of CMS encrypted email with attached receipt requests, that you respond with
  a million receipts indicating to the attacker the exact details of why the
  decrypt failed, that you reuse the same per-message key for each of those
  million messages.

What on earth does this attack have to do with sending millions of messages?
It requires one message, and is considerably more plausible than applying the
Bleichenbacher attack to email (or would be, if it is wasn't prevented in
practice by compression).

- -- 
David Hopwood <david(_dot_)hopwood(_at_)zetnet(_dot_)co(_dot_)uk>

Home page & PGP public key:
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5  0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see

Version: 2.6.3i
Charset: noconv