Re: secure sign & encrypt

Derek Atkins <warlord@mit.edu> Thu, 23 May 2002 12:41 UTC

Received: from above.proper.com (mail.imc.org [208.184.76.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA07241 for <openpgp-archive@odin.ietf.org>; Thu, 23 May 2002 08:41:43 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g4NCWAP25336 for ietf-openpgp-bks; Thu, 23 May 2002 05:32:10 -0700 (PDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4NCW8L25331 for <ietf-openpgp@imc.org>; Thu, 23 May 2002 05:32:08 -0700 (PDT)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA26452; Thu, 23 May 2002 08:32:08 -0400 (EDT)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA23897; Thu, 23 May 2002 08:32:08 -0400 (EDT)
Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id IAA28561; Thu, 23 May 2002 08:32:08 -0400 (EDT)
Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id IAA09727; Thu, 23 May 2002 08:32:08 -0400 (EDT)
To: Terje Braaten <Terje.Braaten@concept.fr>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: secure sign & encrypt
References: <1F4F2D8ADFFCD411819300B0D0AA862E29ABED@csexch.Conceptfr.net>
From: Derek Atkins <warlord@mit.edu>
Date: Thu, 23 May 2002 08:32:08 -0400
In-Reply-To: <1F4F2D8ADFFCD411819300B0D0AA862E29ABED@csexch.Conceptfr.net>
Message-ID: <sjmoff7qc3b.fsf@kikki.mit.edu>
Lines: 46
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Terje Braaten <Terje.Braaten@concept.fr> writes:

> Alice makes a love poem, signs & encrypts it and sends it to Bob.
> Some months later they have broken up with each other. Bob decides
> to be mean to Alice, and encrypts the signed love poem and sends it
> to Charlie, faking the From header in the mail so it look likes it is
> from Alice. Then Charlie has a message that is encrypted to him and signed
> by Alice. It seems to Charlie like it is created by sign & encrypt in
> PGP, so he is convinced this must be a message from Alice that she
> has encrypted specially for him.

Note that this will already say:

Good signature from Alic.
Signature made <Date three months ago>

Don't you think Charlie would be suspicious about that?  I would
certainly be suspicious if the signature date wasn't pretty close
to the mail date.  And I would also be suspicious if the mail date
wasn't close to "today".

> What I would like is any PGP implementation to be able to display a message
> like "Good signature from nn. Warning, this message is not made with atomic
> sign & encrypt, and may be encrypted by some one else."

You see, I view this just like regular mail.  There is the envelope
information, and there is the "letter".  By _CONVENTION_ the person
writing a letter duplicates the envelope information on the inside.
This is not done automatically by the Postal Service, nor is it done
automatically by the enveloping process.  A user could just as easily
leave that information out of the letter (thereby opening themselves
to this same attack in meatspace).

This is not something that should be solved at the Protocol Layer.
Repeat to yourself: IT IS A FEATURE THAT SIGN AND ENCRYPT ARE
SEPARABLE OPERATIONS.  Once you make that statement, there is no way,
short of layering violations, to do what you want to do except at the
application later duplicating the information.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available