Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Ximin Luo <infinity0@gmx.com> Tue, 16 July 2013 21:49 UTC

Return-Path: <infinity0@gmx.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEC7821F9E5C for <openpgp@ietfa.amsl.com>; Tue, 16 Jul 2013 14:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_47=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rJwy4CVgXqf for <openpgp@ietfa.amsl.com>; Tue, 16 Jul 2013 14:49:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id A8A6121F9E4D for <openpgp@ietf.org>; Tue, 16 Jul 2013 14:49:53 -0700 (PDT)
Received: from [192.168.1.66] ([109.152.229.244]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0Lx83d-1U5nNB39nF-016ddA for <openpgp@ietf.org>; Tue, 16 Jul 2013 23:49:52 +0200
Message-ID: <51E5BFFC.1040505@gmx.com>
Date: Tue, 16 Jul 2013 22:49:48 +0100
From: Ximin Luo <infinity0@gmx.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
To: openpgp@ietf.org
References: <51D360B2.1070709@gmx.com> <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com>
In-Reply-To: <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2IFWVMUHRAATVTOMTGLDJ"
X-Provags-ID: V03:K0:NlDNZ66vym0PsAUl1SrRmSyjA7kcqxsyS+mdxw9CNzq5TuxiXmw +qf4Ytq+mOHfQ1WR93ai1COAGwHlWckYS/JA17Xb8DfTRbE7JUHh1/LsYJOmq7jQYV7CjPA ny3BW1CHQ2R+fywcgwKLxtiVJQFT5RcutHYTDNqe8jG2aVOZdOqpLVAEPoUXcLvgGpzQ0TG b7ZL5Gde77NEhWcGJqn7g==
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 21:49:57 -0000

On 16/07/13 12:31, Ben Laurie wrote:
> On 3 July 2013 00:22, Ximin Luo <infinity0@gmx.com>; wrote:
>> To openpgp@ietf.org,
>>
>> As per [1] and [2], sign-then-encrypt is only really secure as long as you do
>> it on *all* the information that forms the message, some of which might be
>> external to the message data itself. Crucially, this includes the recipient.
>>
>> What's the current status of this in the PGP/MIME standard? Is it still a
>> problem? I notice that email subject headers are in a similar situation, and
>> users have complained about it.[3] The problem of unencrypted/unauthenticated
>> recipient is less obvious, so I haven't seen user complaints, but potentially
>> it is more serious.
> 
> Not clear why this is an issue? Surely the fact the message is
> encrypted to the recipient is sufficient?
> 

The signed part does not explicit say who the recipient is. When the initial recipient decrypts the message, they remove this implicit information (the intended recipient). They are then free to encrypt the signed message to a different, *unintended*, recipient. (See [2] I linked previously.)

It is possible that I missed something, that PGP sign+encrypt actually does already implicitly add this information to the inner signed (non-forgeable) data. But this is not consistent with my research - I do not see anything in RFC 4880 that would prevent the attack described. I haven't read it in full, so I could be wrong, but the sources I cited previously agree with this, and that's why I emailed this list about it. Please correct me if I am wrong!

X

P.S. The GnuPG CLI does not let you decrypt a sign+encrypted file, without also verifying the signature. So, I hoped that it was actually transparently adding the list of encryption recipients to the inner signed data. However this appears not to be the case, which means in theory someone could write a tool to do the surreptitious forwarding attack. I did an experiment, using "a.txt" containing 6 bytes "12345\n". Let's see the results:

# Signed and encrypted data, using gpg --sign --encrypt
$ gpg --list-packets a.txt.siggpg
:pubkey enc packet: version 3, algo 1, keyid 68AE6913E59091EC
	data: [2048 bits]
:encrypted data packet:
	length: unknown
	mdc_method: 2
:compressed packet: algo=2
:onepass_sig packet: keyid 860DEF3B8F650B79
	version 3, sigclass 0x00, digest 8, pubkey 1, last=1
:literal data packet:
	mode b (62), created 1373995055, name="",
	raw data: 6 bytes
:signature packet: algo 1, keyid 860DEF3B8F650B79
	version 4, created 1373995055, md5len 0, sigclass 0x00
	digest algo 8, begin of digest de 4e
	hashed subpkt 2 len 4 (sig created 2013-07-16)
	subpkt 16 len 8 (issuer key ID 860DEF3B8F650B79)
	data: [4096 bits]

None of the inner decrypted packets contain any To: information about any encryption recipients
- onepass_sig http://tools.ietf.org/html/rfc4880#section-5.4
- literal data (6 bytes cannot possibly contain To: info)
- signature packet, version 4 http://tools.ietf.org/html/rfc4880#section-5.2.3

For more evidence, compare this to a non-encrypted signed file, of the same data. The signature-relevant packets are the same in both the encrypted/cleartext versions, and contain no additional information on the encryption recipient.

# Signed clear data, using gpg --sign
$ gpg --list-packets a.txt.sig
:compressed packet: algo=1
:onepass_sig packet: keyid 860DEF3B8F650B79
	version 3, sigclass 0x00, digest 8, pubkey 1, last=1
:literal data packet:
	mode b (62), created 1373994966, name="",
	raw data: 6 bytes
:signature packet: algo 1, keyid 860DEF3B8F650B79
	version 4, created 1373994966, md5len 0, sigclass 0x00
	digest algo 8, begin of digest ef 3a
	hashed subpkt 2 len 4 (sig created 2013-07-16)
	subpkt 16 len 8 (issuer key ID 860DEF3B8F650B79)
	data: [4095 bits]

>> Although not explicitly mentioned in the previous citations, these are
>> conceptually the same problem - i.e. you are only executing sign-then-encrypt
>> on *part* of the data that should be secured. So, I believe that it's possible
>> to work towards a single clean solution that fixes both problems.
>>
>> (Sorry if this has been asked before already, or if the problem has already
>> been fixed; I did check the list archives but couldn't find anything on a quick
>> scan, nor a quick session of web searching.)
>>
>> X
>>
>> [1]
>> http://crypto.stackexchange.com/questions/5458/should-we-sign-then-encrypt-or-encrypt-then-sign
>> [2] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html#CITEpgp
>> [3] http://www.mozilla-enigmail.org/forum/viewtopic.php?f=9&t=328
>>
>> --
>> GPG: 4096R/5FBBDBCE
>> https://github.com/infinity0
>> https://bitbucket.org/infinity0
>> https://launchpad.net/~infinity0
>>
>>
>> _______________________________________________
>> openpgp mailing list
>> openpgp@ietf.org
>> https://www.ietf.org/mailman/listinfo/openpgp
>>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>