Re: Anybody know details about Schneier's "flaw"?
David Hopwood <david.hopwood@zetnet.co.uk> Mon, 19 August 2002 20:21 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14831 for <openpgp-archive@odin.ietf.org>; Mon, 19 Aug 2002 16:21:01 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7JKDsL22828 for ietf-openpgp-bks; Mon, 19 Aug 2002 13:13:54 -0700 (PDT)
Received: from mailout.zetnet.co.uk (mail@new-tonge.zetnet.co.uk [194.247.47.231]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7JKDrn22822 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 13:13:53 -0700 (PDT)
Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk ident=root) by mailout.zetnet.co.uk with esmtp (Exim 3.35 #1 (Debian)) id 17gsuQ-0002gt-00 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 21:13:54 +0100
Received: from zetnet.co.uk (bts-0481.dialup.zetnet.co.uk [194.247.49.225]) by zetnet.co.uk (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id g7JKDg832138 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 21:13:42 +0100
Message-ID: <3D613AA3.85971B28@zetnet.co.uk>
Date: Mon, 19 Aug 2002 18:36:19 +0000
From: David Hopwood <david.hopwood@zetnet.co.uk>
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: Re: Anybody know details about Schneier's "flaw"?
References: <2F89C141B5B67645BB56C0385375788231C5B0@guk1d002.glueckkanja.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE----- Dominikus Scherkl wrote: > Carl Ellison <cme@acm.org> wrote: > > Y'know, there's an even simpler attack with the same premise. You > > intercept an encrypted e-mail from Alice to Bob. You take the mail > > body out of the message and send that body to Bob under your e-mail > > address (or under some address you control that Bob might mistake for > > Alice's, which would be even better). Bob decrypts the message and > > replies to it, including the original message body by default. In that case Bob sees the original message, and at least has the possibility of noting that it is not consistent with the reply-to address. If he sees garbage, that could be consistent with any reply-to address, unless Bob knows about this attack. This is all part of the same problem that has been pointed out before in the context of signing: the message content and the headers (including the reply-to address and hence the public key to be used to encrypt replies), are not treated as a unit cryptographically. > > The mistake here, on Bob's part, is to reply to a message without > > paying attention to the e-mail address being used > > The Flaw I see (on the whole attack) is: > Why should anybody reply cleartext to an encrypted message? The attack does not depend on the victim replying in cleartext. If the message is encrypted, it would be encrypted to the attacker's key. Peter Gutmann wrote: > On the grand scale of things, it has curiosity value, but not much more. There > are a pile of other attacks which fall into the same class, e.g. concern over > the Bleichenbacher attack on SSL being used against S/MIME email (come to think > of it, that one never came up on open-pgp). My thoughts on this at the time, > which also apply to this attack, were: > > -- Snip -- > > [...] this attack requires that an attacker send you around a million pieces > of CMS encrypted email with attached receipt requests, that you respond with > a million receipts indicating to the attacker the exact details of why the > decrypt failed, that you reuse the same per-message key for each of those > million messages. What on earth does this attack have to do with sending millions of messages? It requires one message, and is considerably more plausible than applying the Bleichenbacher attack to email (or would be, if it is wasn't prevented in practice by compression). - -- David Hopwood <david.hopwood@zetnet.co.uk> Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPWE6izkCAxeYt5gVAQH7sAf6AklABDur8W+Aoq6FAMlSwprTkS9/ds6d jFk8vNqlF2RYQApMGmGCSBcoayNS4o9WwYBP0hIEaqv/9jTcZXHGnz11IoUoFbR8 fQIQEh5egiGeqyt43n1kojWEptA1MHN5VNBC+WeYMV0sJYvqiSM61NjIHJMUV94Y 3ueWpee4drXCYgjVRMH8PhXj1IoqIyhzzPtzaQ46s0hVaZcQIOE6vVuSqAwyXLmr qW52cjRZ8wIJjA5I4PPQcW8/IXSMcMvAkFLeG5HFcl9COmC+wRqJVgzhq6Q2du+8 qqLHAs23g/FsKIckBNaWeU0DSkIp0oZcxCcOjsAB3JFLkMiInhUE5w== =gZJl -----END PGP SIGNATURE-----
- Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Marc Mutz
- Re: Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Jon Callas
- Re: Anybody know details about Schneier's "flaw"? Lutz Donnerhacke
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Adam Back
- Re: Anybody know details about Schneier's "flaw"? Carl Ellison
- Re: Anybody know details about Schneier's "flaw"? Dominikus Scherkl
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? Werner Koch
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? David Hopwood
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann