ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails

2019-04-30 09:05:17
from [Marcus Brinkmann] [Permanent Link] 
Hi,

On 4/30/19 3:19 PM, Stephen Farrell wrote:

On 30/04/2019 13:29, ilf wrote:

https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://raw.githubusercontent.com/RUB-NDS/Johnny-You-Are-Fired/master/paper/johnny-fired.pdf
Great work, thanks! I guess that's another fine

demonstration that code that's not really used
in anger enough tends to have lots of frailties;-(


A comment and a question:

- I think it'd be a fine thing if this were to be
  presented at an IETF meeting - if some of the
  authors are going to be at one of those (or
  would present remotely) then contacting the
  security area directors and asking for a slot at
  some saag session would be a fine thing.


I don't think any of us are at IETF meetings, but maybe something could
be arranged, depending on the details.  We will present at USENIX
Security 2019, of course.


- I wasn't clear how to interpret the missing
  combinations from Table 2, e.g. does the lack of
  mention of the Linux/TB/Enigmail combination mean
  that it was not vulnerable to the attacks or that
  it was not tested? (Or that it's almost certainly
  vulnerable but you'd already broken so much so well,
  it wasn't worth specifically documenting;-)


We did not include redundancies, for several reasons:

* They would bias our evaluation result (we don't want to inflate our
attack success rate artificially),
* systematic testing is a lot of effort, so we had to limit the number
of combinations, and
* completeness is not feasible anyway. For example, you could also
combine several attack types in a single attack to achieve an even
higher success rate, but we did not evaluate that.

BTW, other examples missing are Trojitá and KMail under Windows.

In the case of Thunderbird I feel comfortable to say that all OpenPGP
test cases have been developed under Linux and then confirmed on
Windows, but we don't say that in the paper.

Of course, we published our test cases, so it is easy to check
additional combinations and software platforms!

Thanks,
Marcus


-- 
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails, Stephen Farrell
Next by Date:  Re: [openpgp] v5 sample key, Heiko Stamer
Previous by Thread:  Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails, Stephen Farrell
Next by Thread:  Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]