IETF Logo Mail Archive

Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails

Albrecht Dreß <albrecht.dress@arcor.de> Sat, 04 May 2019 11:08 UTC

Return-Path: <albrecht.dress@arcor.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE6D1203D0 for <openpgp@ietfa.amsl.com>; Sat, 4 May 2019 04:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.22
X-Spam-Level:
X-Spam-Status: No, score=-3.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMgYymDg_Qti for <openpgp@ietfa.amsl.com>; Sat, 4 May 2019 04:08:14 -0700 (PDT)
Received: from mx009.vodafonemail.xion.oxcs.net (mx009.vodafonemail.xion.oxcs.net [153.92.174.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A2D120044 for <openpgp@ietf.org>; Sat, 4 May 2019 04:08:14 -0700 (PDT)
Received: from vsmx002.vodafonemail.xion.oxcs.net (unknown [192.168.75.192]) by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTP id 7ECE1D9B152 for <openpgp@ietf.org>; Sat, 4 May 2019 11:08:12 +0000 (UTC)
Received: from deneb.localdomain (unknown [89.0.134.38]) by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 500B2199C3A for <openpgp@ietf.org>; Sat, 4 May 2019 11:08:10 +0000 (UTC)
Date: Sat, 04 May 2019 13:08:05 +0200
From: Albrecht Dreß <albrecht.dress@arcor.de>
To: openpgp@ietf.org
In-Reply-To: <20190430122932.GD1456@zeromail.org> (from ilf@zeromail.org on Tue Apr 30 14:29:32 2019)
Autocrypt: addr=albrecht.dress@arcor.de; prefer-encrypt=mutual; keydata=mQENBFZ eB1EBCADhnPQMF2jqSiftx8rmkJ042TTo5Dj5zI89g4Ea2rNGrk70GT+g0wVg1r2ZdWNN3/BM+Hu rm/uKqhlj20peqmpbmAdR2R3avztfAdi0XK1wIyMKzER4z2ieo8mY2yZdcrTtjL/P92RHpHMqpIT xZBTk5p+TH02LdRgibBglcmc+gN8pF0ZMmMsbGT4J9ytyWXR7xvh+JCBN0NRhn8+Rz315bnKZPpG kbKaWwfQUsLwlRalLB2Tvc0nNIoTl1RPBHLIVdR/X4fVg3JJqqfzhJqshmd52PP3oHqNqgPMjHMu vGGQfIOWHifaZxKPyvS9AD+dMFZLFsW6J6Hgfm4YEJ3wtABEBAAG0KEFsYnJlY2h0IERyZcOfIDx hbGJyZWNodC5kcmVzc0BhcmNvci5kZT6JATkEEwECACMFAlZeCZQCGwMHCwkIBwMCAQYVCAIJCgs EFgIDAQIeAQIXgAAKCRDqQ877M5uDOk1nCADWLGh61nwMVCi5YiaqbzM4Ap7cSLc8+5OPml1cl9E zOKiwZZ06fP671EzUirJUxLJgMRieFJWVCUoB/q/VcGeyoHsvmFgqYCjkMFjXEfs7us8AU9ZSqZk ljh3zp+JcGXnNsga7GwIti6d8wNRJILxnH5FLLfHHxcLG0Sri5ObF1eQQO45u2xDadXs7hM88T00 holFAYUAd2LEvOsJdZfzXMjp0ygJ0CXAmzRrVGFOvP1ZGlY82xZhSX1w/+zB+6J56Pm2+LGXxK7q OTb0VFch8ywtieTafgwv+6dOpYWdRG03z6wveFLZ+ESwrOlgTYT7VgRuxPgdjWYuIWc0K3OkJuQE NBFZeCr0BCADiOO0bCOVjlRxS9oLXRYj2FALktwINuI14kPYH0dJOsEa+iK5FpV5gksuFFQPFCAn QInTbR06JXpExoVTebyaqFG95jYr9BEDlxAq12ztJUNYB6L2Uk8UhTzJ7T9RvVUE6UOTyHg4Qlhr xMr/WIBJTOgJLx0+PYX57eW8iFIkCutSQiyoL4TaQ6+FPOTqvbWfoghumtovDC3JErWvvOEEJohk 5/iN3/9nDwaUp7Z9sELsjxXXUe/BTAPprq31onioFHBpvfPg1LpzqkJtEqsRfFG3JxEPM1mOxT9a qCysZoHz+/Q9DOLJNIrht7gEna8bfWq96opp1YkXx84MDDGydABEBAAGJAj4EGAECAAkFAlZeCr0 CGwIBKQkQ6kPO+zObgzrAXSAEGQECAAYFAlZeCr0ACgkQTKlvDmfn2fiNcQf8DDH/OZUITKpNZDr 3/2RYoN63bFKeXqjsEKgUaKn1PoYTDNbpDQe9YfYAH1MP1jbvUsvl7iYo5sOk+0cLXNVEPWVLoMZ 5aapNhDX1coDh0fLMiGfvvoWALMkbSCLifYBJRBMx4u5MSzo9SiFRCnD2ZhaATKZZomopP/tjeON XoX4jrvN17jCswb9tv+luwaoYTLHeWKxXY3CIJTEuhq/6TVq1AfrTx2pfQDzO+hp996kzClVw+yF ol7LGd0gVapJ9z1FnmmEr7hgb+aT+nexEdkBav6L3+AEky19Oma8LbHrM7MCRgORKtmVXsGWE0kS BHMhjf926e+WP9yEvuJ5p77H/B/9jKylBKwezvvIuBHKNitk/0qwUECbpkN8gfRm/mfBGMQvuES/ /D2UZrr++CwdmpHPxrFOWz+hvwO6/K1wy9XpUbkhkzsyA4jZ+aPFZdTKAegMUHjClbapMZxZOoRg Cl2CupTNQf316mYUXB81m4pAdy1MCnLwf2s4h0WoI4Q2zhHOsqrB23TIQTgW61D0JtqCY4DjeuWd C80/3AtJNI4E4+vfhucTWKTib++IblagSNg7nyacRoehVJch79NVrOhKFrioo+p331VTiBzRXnhM 3YG07fQlGYdA6AwYlP22PAEvAI5wn5PG+lPkHmHVvz3QLoUzAS9PEUzXvlYPMyobhuQENBFZeDEs BCADNOXu0rM1UVZ5y/Fb1Uklcmujc/MgoLzANUISqonfX3TKiVnpvmaKcQMZ29xsk3mt4osv+1Ne hhGWoVorlSUGVWFrghwumPPxgb5WRAVE4NjaUMvtjZyXsHA/Uj7Q+WAvUgNeSbT6CkZRliH/eaXb 9pZf6j05tDm15ABAWMj9SEdaZQwQcEDZujDbrUa/oxx10ePyGFhpEuoha6yU0C6Fc6KG6jy5J5Lb bR7RrA/OEPhtRpRVnv7qdLyIZtwJUPNXz7JXTrm43sGjJLF3zjmTVJhrnCXp00Nhq4ydIdWqxokn RNmEJ3qj0Heeb+jHWr9pcEGBW6FuRtS/WxIWSIit/ABEBAAGJAR8EGAECAAkFAlZeDEsCGwwACgk Q6kPO+zObgzq/jAgAv4qOMbN4qud+5wtJCMCv3QkqHY2WUXqM8sj3rHyc15U+FzGOmjQNxOIJw7y t5Epws/hyVPEp0lc6qPMvTeZng3lANNfPVBvIL3FuUTcGgc3KOx2gnB7ZpVG0baNSziqMZbHXjUW S8e2ub9YiH3n5gSW6Oq1veG0eNLatFpvwB4g7kfsyD6J88/iRfuFDkY6ANcfy4pfeuBl9XeO4EvN c7E0a7Ki036042gdoAF4MrbEMqFCIQHID0jlqzc1i8WcjxkwC5YqfrJVzp4PROpEaMNP8tEKqKxK 4V5CFqfHjGlijRD4FIfJtU/GzeMLnzsVqmKtPtfDfpmwDc1n+gDJI27kBDQRWXgdRAQgA2nEFM3Z jewnmly96ehVLLZJxJxv773b3hWKIEBBw1QF5Hk7Qwd3OQnxr0IjCuop0eiTdRhymPsVLaoMMOwO +ckScbiIUwQELP4MG2Qmzv48wLq/kML2q/Y5+scwqTYG0yLbmV/XD4gp0GuQuSujp+8oFbqC+XF5 YloYxHxEvOS8YGkbJ0T9SRtTMNChdy3g/9bHZQdAWFLIU4ivffKwXQRgqWkybF+td1SCiNTrEkSE tfkdt9A4BYQ41byb/v2YBZhLBV1/LCrf9R25c4SIGP/LAngSEfJFhb8ecTAIKJpvPFxRWBHKNcTJ r4MqzCjQDsUDPZdN1SNhQF/jDkZUDDwARAQABiQEfBBgBAgAJBQJWXgdRAhsMAAoJEOpDzvszm4M 69OYH/AhfWKr6/+Ru43U9QAcodMcGIT9YBu9Q7jZdhtmJiHhukMcn4OZt7JX+UJO3QYyXupJPdkH EF/YqaH4wzu02b5n9ImX0hybVw++v5yCNqpFEtd3ZjbvOJgWNIDWFJ8mA1VFR3JVlWGtnv78bvr9 IPu44u1Qt//BPOtIFe2EG9+mmZkLhlBWezvt1CvZeadQg7KbFhuZHNOk48XSX1sBn9d3rcbskt37 5EygunPI7o2qEVEZ9WSvqUPTprnf9/C/DIk9iV4BdoVfHW+HExqwlVXKBYlJQdMGGZuvZyIq6GYE +VKXw55mTxkF9wZQ9hwaUoaQ+gMqhnwAZnJSlJipnlpa5AQ0EV8LO/QEIAIoQPU9cCKg8aNpQDlD 8q9SjICjrjj+4pzHvm6WjwbCcQZzeJdUP8E3E4/c1TllTyzmAoeyyEeIy4iGt0/kwk1WwhxlVadH sUTmT3D0ypkOpovHUQAhkLuy8TzUwTIgDx+aQnueUX96FCHgVfPKn0IY6vIUev/A3/21+ecpOSQK AYmT4m359p+Z9t+FEdt2yYATW+8vZiechlm9+3Of/pjOSuhqQBz5XuE0/qomiCYvmVzuyWsg735/ eNKQVd2dV6BQ+KS9g+6nVo0yMlT8PAgf/1HYkNDlPkgV1wOl1kre6/MxvASbEluSlR23rEN3BbwV mVSrOYudmzuNx85hdpHcAEQEAAYkBHwQYAQgACQUCV8LO/QIbIAAKCRDqQ877M5uDOmnrCACNONu FyVSqZpdJmJ49BTDVr3DNSJFZJbKEZ+AqQyOS0BiELtrwhCikkNWZzNbnrXv4effGq0orxSWNmop JC5/aHfypEmJnLKE4dljTXlzMJKPagO30GUayalCu08OXL5J0MoItkDxj+i6WIOvLw8G1xhEcX7h aQ/+6a8cC1CUaV+q8PCU/+3K2bxBkL58zHzNpg2JjtRC7nVlPRHkplUyZpCLe4OEOvW7l4i5z6+F Qvxw+8a/9dWTW6UGyMLwWbP3HZJbeyLbLIPfmii3qKzMbqj2kJM0zV0C70vI64Ic+mHk0SPL0vM5 ljPbzLZddiZeKgK2O5fMPpyJpYWcxHj7a
Message-Id: <C2WACNF3.MOCHGZ6J.7IZQNCE5@MLE345G6.3RBRPUGZ.GY2PV6G2>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA512"; protocol="application/pgp-signature"; boundary="=-R8hA2VO41D6D6uFRuXoo"
X-VADE-STATUS: LEGIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ESsR4qbSDX8zsbqcKvANTSTH81Y>
Subject: Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 May 2019 11:08:17 -0000

Hi,

thanks a lot for your great work!

Just an additional question regarding the “GPG Api” attacks – can we assume that all applications using gpgme (like Balsa, <https://pawsa.fedorapeople.org/balsa/>) to talk to gpg are not vulnerable regarding this attack class, as the lib handles cases G1 and G2 properly?

Thanks,
Albrecht.

On 30.04.19 14:29, ilf wrote:
> https://github.com/RUB-NDS/Johnny-You-Are-Fired
> https://raw.githubusercontent.com/RUB-NDS/Johnny-You-Are-Fired/master/paper/johnny-fired.pdf

v2.23.0 | Report a Bug | By Email