IETF Logo Mail Archive

Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails

Albrecht Dreß <albrecht.dress@arcor.de> Sat, 04 May 2019 14:10 UTC

Return-Path: <albrecht.dress@arcor.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95021200B9 for <openpgp@ietfa.amsl.com>; Sat, 4 May 2019 07:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.62
X-Spam-Level:
X-Spam-Status: No, score=-1.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmK4jU-sI7KL for <openpgp@ietfa.amsl.com>; Sat, 4 May 2019 07:10:12 -0700 (PDT)
Received: from vsmx011.vodafonemail.xion.oxcs.net (vsmx011.vodafonemail.xion.oxcs.net [153.92.174.89]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D13412002E for <openpgp@ietf.org>; Sat, 4 May 2019 07:10:11 -0700 (PDT)
Received: from vsmx003.vodafonemail.xion.oxcs.net (unknown [192.168.75.197]) by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTP id 1A4C23E0AAC for <openpgp@ietf.org>; Sat, 4 May 2019 14:10:10 +0000 (UTC)
Received: from deneb.localdomain (unknown [89.0.134.38]) by mta-7-out.mta.xion.oxcs.net (Postfix) with ESMTPA id E075A300771 for <openpgp@ietf.org>; Sat, 4 May 2019 14:10:07 +0000 (UTC)
Date: Sat, 04 May 2019 16:10:02 +0200
From: Albrecht Dreß <albrecht.dress@arcor.de>
To: openpgp@ietf.org
In-Reply-To: <20190430122932.GD1456@zeromail.org> (from ilf@zeromail.org on Tue Apr 30 14:29:32 2019)
Autocrypt: addr=albrecht.dress@arcor.de; prefer-encrypt=mutual; keydata=mQENBFZ eB1EBCADhnPQMF2jqSiftx8rmkJ042TTo5Dj5zI89g4Ea2rNGrk70GT+g0wVg1r2ZdWNN3/BM+Hu rm/uKqhlj20peqmpbmAdR2R3avztfAdi0XK1wIyMKzER4z2ieo8mY2yZdcrTtjL/P92RHpHMqpIT xZBTk5p+TH02LdRgibBglcmc+gN8pF0ZMmMsbGT4J9ytyWXR7xvh+JCBN0NRhn8+Rz315bnKZPpG kbKaWwfQUsLwlRalLB2Tvc0nNIoTl1RPBHLIVdR/X4fVg3JJqqfzhJqshmd52PP3oHqNqgPMjHMu vGGQfIOWHifaZxKPyvS9AD+dMFZLFsW6J6Hgfm4YEJ3wtABEBAAG0KEFsYnJlY2h0IERyZcOfIDx hbGJyZWNodC5kcmVzc0BhcmNvci5kZT6JATkEEwECACMFAlZeCZQCGwMHCwkIBwMCAQYVCAIJCgs EFgIDAQIeAQIXgAAKCRDqQ877M5uDOk1nCADWLGh61nwMVCi5YiaqbzM4Ap7cSLc8+5OPml1cl9E zOKiwZZ06fP671EzUirJUxLJgMRieFJWVCUoB/q/VcGeyoHsvmFgqYCjkMFjXEfs7us8AU9ZSqZk ljh3zp+JcGXnNsga7GwIti6d8wNRJILxnH5FLLfHHxcLG0Sri5ObF1eQQO45u2xDadXs7hM88T00 holFAYUAd2LEvOsJdZfzXMjp0ygJ0CXAmzRrVGFOvP1ZGlY82xZhSX1w/+zB+6J56Pm2+LGXxK7q OTb0VFch8ywtieTafgwv+6dOpYWdRG03z6wveFLZ+ESwrOlgTYT7VgRuxPgdjWYuIWc0K3OkJuQE NBFZeCr0BCADiOO0bCOVjlRxS9oLXRYj2FALktwINuI14kPYH0dJOsEa+iK5FpV5gksuFFQPFCAn QInTbR06JXpExoVTebyaqFG95jYr9BEDlxAq12ztJUNYB6L2Uk8UhTzJ7T9RvVUE6UOTyHg4Qlhr xMr/WIBJTOgJLx0+PYX57eW8iFIkCutSQiyoL4TaQ6+FPOTqvbWfoghumtovDC3JErWvvOEEJohk 5/iN3/9nDwaUp7Z9sELsjxXXUe/BTAPprq31onioFHBpvfPg1LpzqkJtEqsRfFG3JxEPM1mOxT9a qCysZoHz+/Q9DOLJNIrht7gEna8bfWq96opp1YkXx84MDDGydABEBAAGJAj4EGAECAAkFAlZeCr0 CGwIBKQkQ6kPO+zObgzrAXSAEGQECAAYFAlZeCr0ACgkQTKlvDmfn2fiNcQf8DDH/OZUITKpNZDr 3/2RYoN63bFKeXqjsEKgUaKn1PoYTDNbpDQe9YfYAH1MP1jbvUsvl7iYo5sOk+0cLXNVEPWVLoMZ 5aapNhDX1coDh0fLMiGfvvoWALMkbSCLifYBJRBMx4u5MSzo9SiFRCnD2ZhaATKZZomopP/tjeON XoX4jrvN17jCswb9tv+luwaoYTLHeWKxXY3CIJTEuhq/6TVq1AfrTx2pfQDzO+hp996kzClVw+yF ol7LGd0gVapJ9z1FnmmEr7hgb+aT+nexEdkBav6L3+AEky19Oma8LbHrM7MCRgORKtmVXsGWE0kS BHMhjf926e+WP9yEvuJ5p77H/B/9jKylBKwezvvIuBHKNitk/0qwUECbpkN8gfRm/mfBGMQvuES/ /D2UZrr++CwdmpHPxrFOWz+hvwO6/K1wy9XpUbkhkzsyA4jZ+aPFZdTKAegMUHjClbapMZxZOoRg Cl2CupTNQf316mYUXB81m4pAdy1MCnLwf2s4h0WoI4Q2zhHOsqrB23TIQTgW61D0JtqCY4DjeuWd C80/3AtJNI4E4+vfhucTWKTib++IblagSNg7nyacRoehVJch79NVrOhKFrioo+p331VTiBzRXnhM 3YG07fQlGYdA6AwYlP22PAEvAI5wn5PG+lPkHmHVvz3QLoUzAS9PEUzXvlYPMyobhuQENBFZeDEs BCADNOXu0rM1UVZ5y/Fb1Uklcmujc/MgoLzANUISqonfX3TKiVnpvmaKcQMZ29xsk3mt4osv+1Ne hhGWoVorlSUGVWFrghwumPPxgb5WRAVE4NjaUMvtjZyXsHA/Uj7Q+WAvUgNeSbT6CkZRliH/eaXb 9pZf6j05tDm15ABAWMj9SEdaZQwQcEDZujDbrUa/oxx10ePyGFhpEuoha6yU0C6Fc6KG6jy5J5Lb bR7RrA/OEPhtRpRVnv7qdLyIZtwJUPNXz7JXTrm43sGjJLF3zjmTVJhrnCXp00Nhq4ydIdWqxokn RNmEJ3qj0Heeb+jHWr9pcEGBW6FuRtS/WxIWSIit/ABEBAAGJAR8EGAECAAkFAlZeDEsCGwwACgk Q6kPO+zObgzq/jAgAv4qOMbN4qud+5wtJCMCv3QkqHY2WUXqM8sj3rHyc15U+FzGOmjQNxOIJw7y t5Epws/hyVPEp0lc6qPMvTeZng3lANNfPVBvIL3FuUTcGgc3KOx2gnB7ZpVG0baNSziqMZbHXjUW S8e2ub9YiH3n5gSW6Oq1veG0eNLatFpvwB4g7kfsyD6J88/iRfuFDkY6ANcfy4pfeuBl9XeO4EvN c7E0a7Ki036042gdoAF4MrbEMqFCIQHID0jlqzc1i8WcjxkwC5YqfrJVzp4PROpEaMNP8tEKqKxK 4V5CFqfHjGlijRD4FIfJtU/GzeMLnzsVqmKtPtfDfpmwDc1n+gDJI27kBDQRWXgdRAQgA2nEFM3Z jewnmly96ehVLLZJxJxv773b3hWKIEBBw1QF5Hk7Qwd3OQnxr0IjCuop0eiTdRhymPsVLaoMMOwO +ckScbiIUwQELP4MG2Qmzv48wLq/kML2q/Y5+scwqTYG0yLbmV/XD4gp0GuQuSujp+8oFbqC+XF5 YloYxHxEvOS8YGkbJ0T9SRtTMNChdy3g/9bHZQdAWFLIU4ivffKwXQRgqWkybF+td1SCiNTrEkSE tfkdt9A4BYQ41byb/v2YBZhLBV1/LCrf9R25c4SIGP/LAngSEfJFhb8ecTAIKJpvPFxRWBHKNcTJ r4MqzCjQDsUDPZdN1SNhQF/jDkZUDDwARAQABiQEfBBgBAgAJBQJWXgdRAhsMAAoJEOpDzvszm4M 69OYH/AhfWKr6/+Ru43U9QAcodMcGIT9YBu9Q7jZdhtmJiHhukMcn4OZt7JX+UJO3QYyXupJPdkH EF/YqaH4wzu02b5n9ImX0hybVw++v5yCNqpFEtd3ZjbvOJgWNIDWFJ8mA1VFR3JVlWGtnv78bvr9 IPu44u1Qt//BPOtIFe2EG9+mmZkLhlBWezvt1CvZeadQg7KbFhuZHNOk48XSX1sBn9d3rcbskt37 5EygunPI7o2qEVEZ9WSvqUPTprnf9/C/DIk9iV4BdoVfHW+HExqwlVXKBYlJQdMGGZuvZyIq6GYE +VKXw55mTxkF9wZQ9hwaUoaQ+gMqhnwAZnJSlJipnlpa5AQ0EV8LO/QEIAIoQPU9cCKg8aNpQDlD 8q9SjICjrjj+4pzHvm6WjwbCcQZzeJdUP8E3E4/c1TllTyzmAoeyyEeIy4iGt0/kwk1WwhxlVadH sUTmT3D0ypkOpovHUQAhkLuy8TzUwTIgDx+aQnueUX96FCHgVfPKn0IY6vIUev/A3/21+ecpOSQK AYmT4m359p+Z9t+FEdt2yYATW+8vZiechlm9+3Of/pjOSuhqQBz5XuE0/qomiCYvmVzuyWsg735/ eNKQVd2dV6BQ+KS9g+6nVo0yMlT8PAgf/1HYkNDlPkgV1wOl1kre6/MxvASbEluSlR23rEN3BbwV mVSrOYudmzuNx85hdpHcAEQEAAYkBHwQYAQgACQUCV8LO/QIbIAAKCRDqQ877M5uDOmnrCACNONu FyVSqZpdJmJ49BTDVr3DNSJFZJbKEZ+AqQyOS0BiELtrwhCikkNWZzNbnrXv4effGq0orxSWNmop JC5/aHfypEmJnLKE4dljTXlzMJKPagO30GUayalCu08OXL5J0MoItkDxj+i6WIOvLw8G1xhEcX7h aQ/+6a8cC1CUaV+q8PCU/+3K2bxBkL58zHzNpg2JjtRC7nVlPRHkplUyZpCLe4OEOvW7l4i5z6+F Qvxw+8a/9dWTW6UGyMLwWbP3HZJbeyLbLIPfmii3qKzMbqj2kJM0zV0C70vI64Ic+mHk0SPL0vM5 ljPbzLZddiZeKgK2O5fMPpyJpYWcxHj7a
Message-Id: <Y4GLJDBK.25MFNAVP.JR7XXY2J@A35DREMG.O2ZDLWN5.AWQ4LWN6>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA512"; protocol="application/pgp-signature"; boundary="=-TL6mlXQnbWyUouAo8ZRF"
X-VADE-STATUS: LEGIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SKclvRGw9kan13GSsP66NlHHKEc>
Subject: Re: [openpgp] Spoofing OpenPGP and S/MIME Signatures in Emails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 May 2019 14:10:15 -0000

Hi,

On 30.04.19 14:29, ilf wrote:
> https://github.com/RUB-NDS/Johnny-You-Are-Fired

While testing the MUA Balsa <https://pawsa.fedorapeople.org/balsa/> using the proof-of-concept messages provided on Github, I noticed that many (most? all?) of the RFC 3156 message parts are not recognised by it.  Looking at the message source (e.g. “Attack Class 'MIME', Test 'M1' (PGP/MIME)”), it appears that the header

   Content-Type: multipart/signed; boundary="BOUNDARY"; protocol="application/pgp-signature"

is missing the “micalg” parameter.  However, RFC 3156, sect. 5 states that

> OpenPGP signed messages are denoted by the "multipart/signed" content type, described in [RFC1847]

which defines in sect. 2.1

> Required parameters: boundary, protocol, and micalg

Consequently, Balsa (and maybe other MUA's, too) simply ignores such multipart/signed parts as they don't comply with the standard.

Did you omit the parameter intentionally, i.e. did I miss something interpreting the standards (typically, the value is never used), or are these proof-of-concept messages broken?

Thanks in advance,
Albrecht.

v2.23.0 | Report a Bug | By Email