Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Ximin Luo <infinity0@gmx.com> Wed, 17 July 2013 18:27 UTC

Return-Path: <infinity0@gmx.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157D621F9E33 for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 11:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, J_CHICKENPOX_47=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrMJ76Z0YFrf for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 11:27:50 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 8B62E21F996F for <openpgp@ietf.org>; Wed, 17 Jul 2013 11:27:49 -0700 (PDT)
Received: from [192.168.1.66] ([109.152.229.244]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MY75A-1UdRDv38gy-00Us3M for <openpgp@ietf.org>; Wed, 17 Jul 2013 20:27:47 +0200
Message-ID: <51E6E21C.4020708@gmx.com>
Date: Wed, 17 Jul 2013 19:27:40 +0100
From: Ximin Luo <infinity0@gmx.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
To: openpgp@ietf.org
References: <51D360B2.1070709@gmx.com> <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com> <51E5BFFC.1040505@gmx.com> <CAG5KPzz-xmGOV8p9h0ho1WKNdEez4M0VvdsQ5JafBpWYntJo3Q@mail.gmail.com>
In-Reply-To: <CAG5KPzz-xmGOV8p9h0ho1WKNdEez4M0VvdsQ5JafBpWYntJo3Q@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2QEBRXVEXEWHSOPUGRATH"
X-Provags-ID: V03:K0:6oaFGHbh9P8VN3fTwDPi75YonRldnKatCB/103o/+EuhfRN1Gdc 5SMtnrZqiU1zUIEyViJ9FS/5wfxbSsIldrc51H3AxsmkWlj/eTU4RCwsLb0QD4YSR5uw76S 2NBBCOB8vjnf2MKeBQ8nYo/nKCjMZUjFUORg1/H+IUjMjPoStzXHpdcNoeetCAR5mzzR2uw Olrn2Lw2GPAa9jdw0YQlg==
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 18:27:54 -0000

On 17/07/13 10:43, Ben Laurie wrote:
> On 16 July 2013 22:49, Ximin Luo <infinity0@gmx.com>; wrote:
>> On 16/07/13 12:31, Ben Laurie wrote:
>>> On 3 July 2013 00:22, Ximin Luo <infinity0@gmx.com>; wrote:
>>>> To openpgp@ietf.org,
>>>>
>>>> As per [1] and [2], sign-then-encrypt is only really secure as long as you do
>>>> it on *all* the information that forms the message, some of which might be
>>>> external to the message data itself. Crucially, this includes the recipient.
>>>>
>>>> What's the current status of this in the PGP/MIME standard? Is it still a
>>>> problem? I notice that email subject headers are in a similar situation, and
>>>> users have complained about it.[3] The problem of unencrypted/unauthenticated
>>>> recipient is less obvious, so I haven't seen user complaints, but potentially
>>>> it is more serious.
>>>
>>> Not clear why this is an issue? Surely the fact the message is
>>> encrypted to the recipient is sufficient?
>>>
>>
>> The signed part does not explicit say who the recipient is. When the initial recipient decrypts the message, they remove this implicit information (the intended recipient). They are then free to encrypt the signed message to a different, *unintended*, recipient. (See [2] I linked previously.)
> 
> Ah, I see. I am sure I remember this being discussed before. But I
> can't remember where.
> 
>> It is possible that I missed something, that PGP sign+encrypt actually does already implicitly add this information to the inner signed (non-forgeable) data. But this is not consistent with my research - I do not see anything in RFC 4880 that would prevent the attack described. I haven't read it in full, so I could be wrong, but the sources I cited previously agree with this, and that's why I emailed this list about it. Please correct me if I am wrong!
> 
> I'm not sure what you think the attack is. I get that you end up with
> a signed blob that is sent to someone other than the intended
> recipient. So what?
> 
> You might find sections 3 and 4 of
> http://www.apache-ssl.org/tech-legal.pdf helpful.
> 

As per [2], if I ever sign a message consisting of "yes" or "no" or some other short message with very little context, the attacker (whom I encrypted the signed message to) could use this signed message in some other context, fooling people that I said something I didn't. One might argue "how unlikely", but it's still an unnecessary caveat (i.e. complexity) in using encrypted email, which will confuse people not familiar with the details.

My original point was that this attack is a specific example of a general design flaw in encrypted email - i.e. unsigned/unencrypted headers.

I'm not concerned that some legal principle clears me of responsibility; practical objective security should not be dependant on the efficiency or subjective justice of any legal system. I would much rather the attack not be possible in the first place.

>>>>
>>>> [1]
>>>> http://crypto.stackexchange.com/questions/5458/should-we-sign-then-encrypt-or-encrypt-then-sign
>>>> [2] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html#CITEpgp
>>>> [3] http://www.mozilla-enigmail.org/forum/viewtopic.php?f=9&t=328
>>>>