On 17/07/13 10:43, Ben Laurie wrote:
On 16 July 2013 22:49, Ximin Luo <infinity0(_at_)gmx(_dot_)com> wrote:
On 16/07/13 12:31, Ben Laurie wrote:
On 3 July 2013 00:22, Ximin Luo <infinity0(_at_)gmx(_dot_)com> wrote:
To openpgp(_at_)ietf(_dot_)org,
As per [1] and [2], sign-then-encrypt is only really secure as long as you
do
it on *all* the information that forms the message, some of which might be
external to the message data itself. Crucially, this includes the
recipient.
What's the current status of this in the PGP/MIME standard? Is it still a
problem? I notice that email subject headers are in a similar situation,
and
users have complained about it.[3] The problem of
unencrypted/unauthenticated
recipient is less obvious, so I haven't seen user complaints, but
potentially
it is more serious.
Not clear why this is an issue? Surely the fact the message is
encrypted to the recipient is sufficient?
The signed part does not explicit say who the recipient is. When the initial
recipient decrypts the message, they remove this implicit information (the
intended recipient). They are then free to encrypt the signed message to a
different, *unintended*, recipient. (See [2] I linked previously.)
Ah, I see. I am sure I remember this being discussed before. But I
can't remember where.
It is possible that I missed something, that PGP sign+encrypt actually does
already implicitly add this information to the inner signed (non-forgeable)
data. But this is not consistent with my research - I do not see anything in
RFC 4880 that would prevent the attack described. I haven't read it in full,
so I could be wrong, but the sources I cited previously agree with this, and
that's why I emailed this list about it. Please correct me if I am wrong!
I'm not sure what you think the attack is. I get that you end up with
a signed blob that is sent to someone other than the intended
recipient. So what?
You might find sections 3 and 4 of
http://www.apache-ssl.org/tech-legal.pdf helpful.
As per [2], if I ever sign a message consisting of "yes" or "no" or some other
short message with very little context, the attacker (whom I encrypted the
signed message to) could use this signed message in some other context, fooling
people that I said something I didn't. One might argue "how unlikely", but it's
still an unnecessary caveat (i.e. complexity) in using encrypted email, which
will confuse people not familiar with the details.
My original point was that this attack is a specific example of a general
design flaw in encrypted email - i.e. unsigned/unencrypted headers.
I'm not concerned that some legal principle clears me of responsibility;
practical objective security should not be dependant on the efficiency or
subjective justice of any legal system. I would much rather the attack not be
possible in the first place.
[1]
http://crypto.stackexchange.com/questions/5458/should-we-sign-then-encrypt-or-encrypt-then-sign
[2] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html#CITEpgp
[3] http://www.mozilla-enigmail.org/forum/viewtopic.php?f=9&t=328
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp