RE: secure sign & encrypt

Terje Braaten <Terje.Braaten@concept.fr> Thu, 23 May 2002 20:46 UTC

Received: from above.proper.com (mail.imc.org [208.184.76.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA26692 for <openpgp-archive@odin.ietf.org>; Thu, 23 May 2002 16:46:55 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g4NKakW13816 for ietf-openpgp-bks; Thu, 23 May 2002 13:36:46 -0700 (PDT)
Received: from csexch.Conceptfr.net (mail.concept-agresso.com [194.250.222.1]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4NKaiL13812 for <ietf-openpgp@imc.org>; Thu, 23 May 2002 13:36:44 -0700 (PDT)
Received: by csexch.Conceptfr.net with Internet Mail Service (5.5.2653.19) id <LPCP1MWR>; Thu, 23 May 2002 22:34:11 +0200
Message-ID: <1F4F2D8ADFFCD411819300B0D0AA862E29ABF6@csexch.Conceptfr.net>
From: Terje Braaten <Terje.Braaten@concept.fr>
To: "'Derek Atkins'" <warlord@mit.edu>, Terje Braaten <Terje.Braaten@concept.fr>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: RE: secure sign & encrypt
Date: Thu, 23 May 2002 22:34:10 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g4NKajL13813
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 8bit

Derek Atkins <warlord@MIT.EDU> writes:
> 
> Terje Braaten <Terje.Braaten@concept.fr> writes:
> 
> > Derek Atkins <warlord@MIT.EDU> wrote:
> > > I'm not sure exactly what you mean by when you say Alice 
> saves a copy
> > > of the session key... How does Alice get that key to 
> Charlie?  Also
> > > keep in mind that the interior and exterior encryptions SHOULD be
> > > using different session keys.  So, I don't understand 
> what you mean?
> > 
> > She could send it to Charlie in a different mail, or add it 
> on the outside
> > of the signature (ES) packet before she encrypt and send it 
> to Charlie.
> > And since she control the building of the message, another solution
> > would be that she could also use the same session key in 
> the interior and
> > exterior encryptions no matter what the protocol says 
> should be done.
> 
> But then Charlie KNOWS that Alice did the dastardly deed.  Moreover,
> you'd need extremely special reader to be able to read such a message,
> because it would not be 2440-compliant.

No, if Alice faked the e-mail headers, he could think it was Bob that
sent it to him, and also revealed to him the session key to the inner
encryption packet. It is exactly the same case as if Alice just had
used SE and signed a packet with the recipient keys in the inner message.
Charlie would KNOW that something was wrong, but not if Alice or Bob
was to blame.

> 
> > > Can you show the packets that Charlie sees?  I don't see any way
> > > to add a new ESK on the interior message without invalidating the
> > > signature....
> > 
> > Charlie sees after decrypting the first layer
> >  PreSig[Alice]{ESK [Bob] Enc { Literal { Message } } }PostSig[Alice]
> 
> Ok, can you show me the complete message Charlie receives (before he
> decrypts the first layer)?  Note that if Charlie sees this message, it
> is quite clear that the message was meant for Bob alone.

Yes, but was it Bob that leaked the information or Alice? See he cannot
know.

> 
> > In addition he has, or can make ESK[Charlie]. This 
> information he can
> > claim he must have got from Bob, since he is the only 
> original recipient.
> 
> How can Charlie insert an ESK[Charlie] and not invalidate the
> signature?

He cannot insert it in the inner encryption packet without invalidating
the signature, but he can make use of it to read the encrypted message.

-- 
Terje BrĂ¥ten