ietf-openpgp
[Top] [All Lists]

Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

2013-07-17 13:28:03
On 17/07/13 10:43, Ben Laurie wrote:
On 16 July 2013 22:49, Ximin Luo <infinity0(_at_)gmx(_dot_)com> wrote:
On 16/07/13 12:31, Ben Laurie wrote:
On 3 July 2013 00:22, Ximin Luo <infinity0(_at_)gmx(_dot_)com> wrote:
To openpgp(_at_)ietf(_dot_)org,

As per [1] and [2], sign-then-encrypt is only really secure as long as you 
do
it on *all* the information that forms the message, some of which might be
external to the message data itself. Crucially, this includes the 
recipient.

What's the current status of this in the PGP/MIME standard? Is it still a
problem? I notice that email subject headers are in a similar situation, 
and
users have complained about it.[3] The problem of 
unencrypted/unauthenticated
recipient is less obvious, so I haven't seen user complaints, but 
potentially
it is more serious.

Not clear why this is an issue? Surely the fact the message is
encrypted to the recipient is sufficient?


The signed part does not explicit say who the recipient is. When the initial 
recipient decrypts the message, they remove this implicit information (the 
intended recipient). They are then free to encrypt the signed message to a 
different, *unintended*, recipient. (See [2] I linked previously.)

Ah, I see. I am sure I remember this being discussed before. But I
can't remember where.

It is possible that I missed something, that PGP sign+encrypt actually does 
already implicitly add this information to the inner signed (non-forgeable) 
data. But this is not consistent with my research - I do not see anything in 
RFC 4880 that would prevent the attack described. I haven't read it in full, 
so I could be wrong, but the sources I cited previously agree with this, and 
that's why I emailed this list about it. Please correct me if I am wrong!

I'm not sure what you think the attack is. I get that you end up with
a signed blob that is sent to someone other than the intended
recipient. So what?

You might find sections 3 and 4 of
http://www.apache-ssl.org/tech-legal.pdf helpful.


As per [2], if I ever sign a message consisting of "yes" or "no" or some other 
short message with very little context, the attacker (whom I encrypted the 
signed message to) could use this signed message in some other context, fooling 
people that I said something I didn't. One might argue "how unlikely", but it's 
still an unnecessary caveat (i.e. complexity) in using encrypted email, which 
will confuse people not familiar with the details.

My original point was that this attack is a specific example of a general 
design flaw in encrypted email - i.e. unsigned/unencrypted headers.

I'm not concerned that some legal principle clears me of responsibility; 
practical objective security should not be dependant on the efficiency or 
subjective justice of any legal system. I would much rather the attack not be 
possible in the first place.


[1]
http://crypto.stackexchange.com/questions/5458/should-we-sign-then-encrypt-or-encrypt-then-sign
[2] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html#CITEpgp
[3] http://www.mozilla-enigmail.org/forum/viewtopic.php?f=9&t=328



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp