ietf-openpgp
[Top] [All Lists]

Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages

2003-08-21 13:15:40

Vedaal writes:

have been able to separate a signed and encrypted message into a freestanding
verifiable clearsigned message

have put up the example here:
http://www.angelfire.com/pr/pgpf/sclsf.html

Makes sense, signed messages are signed messages.

would like to ask:

[1] is there any way to distinguish the composite reconstruction forgery
from a 'real' de novo clearsigned message ?

I disagree that this is a forgery.  Rather, it is a reformatting (plus
you have stripped off an encryption layer).  Generally, the hashing
rules for text-mode signed messages (as you have in your encrypted and
signed message) and clearsigned messages are the same.

However some (older?) versions of PGP don't follow the spec and don't
ignore trailing whitespace for text-mode signed messages, while they
do ignore it for clearsigned messages.  So if you had a message with
trailing whitespace and created a text-mode signed message (or a signed
and encrypted message) using such a version of PGP, it would not verify
when converted to a clearsigned message.  However such messages would
tend to have verification difficulties anyway due to this variation
from the spec.

[2] is there a difference between GnuPG and PGP in the way a message
is clearsigned, as opposed to signed and encrypted,
that might distinguish the forged composite, from a real clearsigned
message?

Again I would say "reformatted" rather than "forged".  These are just
two different formats for signed messages.  Except for the variation I
mentioned above I think that the two are hashed the same for GPG and PGP.

while the Davis paper describes separating and re-encrypting,
it doesn't deal with separating into a freestanding clearsigned message.

I saw some code to do this somewhere a while back.  It's trivial, once
you strip off the encryption layer and leave the text-mode signed message,
to convert it to a clearsigned message.  Just wrap the literal payload
in the appropriate BEGIN PGP headers, and base64 encode the signature
packet.

Hal