Re: Anybody know details about Schneier's "flaw"?

David Hopwood <> Mon, 19 August 2002 20:21 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id QAA14831 for <>; Mon, 19 Aug 2002 16:21:01 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g7JKDsL22828 for ietf-openpgp-bks; Mon, 19 Aug 2002 13:13:54 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g7JKDrn22822 for <>; Mon, 19 Aug 2002 13:13:53 -0700 (PDT)
Received: from ([] ident=root) by with esmtp (Exim 3.35 #1 (Debian)) id 17gsuQ-0002gt-00 for <>; Mon, 19 Aug 2002 21:13:54 +0100
Received: from ( []) by (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id g7JKDg832138 for <>; Mon, 19 Aug 2002 21:13:42 +0100
Message-ID: <>
Date: Mon, 19 Aug 2002 18:36:19 +0000
From: David Hopwood <>
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru
MIME-Version: 1.0
Subject: Re: Anybody know details about Schneier's "flaw"?
References: <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit


Dominikus Scherkl wrote:
> Carl Ellison <> wrote:
> > Y'know, there's an even simpler attack with the same premise.  You
> > intercept an encrypted e-mail from Alice to Bob.  You take the mail
> > body out of the message and send that body to Bob under your e-mail
> > address (or under some address you control that Bob might mistake for
> > Alice's, which would be even better).  Bob decrypts the message and
> > replies to it, including the original message body by default.

In that case Bob sees the original message, and at least has the possibility
of noting that it is not consistent with the reply-to address. If he sees
garbage, that could be consistent with any reply-to address, unless Bob
knows about this attack.

This is all part of the same problem that has been pointed out before in
the context of signing: the message content and the headers (including
the reply-to address and hence the public key to be used to encrypt replies),
are not treated as a unit cryptographically.

> > The mistake here, on Bob's part, is to reply to a message without
> > paying attention to the e-mail address being used
> The Flaw I see (on the whole attack) is:
> Why should anybody reply cleartext to an encrypted message?

The attack does not depend on the victim replying in cleartext.
If the message is encrypted, it would be encrypted to the attacker's key.

Peter Gutmann wrote:
> On the grand scale of things, it has curiosity value, but not much more.  There
> are a pile of other attacks which fall into the same class, e.g. concern over
> the Bleichenbacher attack on SSL being used against S/MIME email (come to think
> of it, that one never came up on open-pgp).  My thoughts on this at the time,
> which also apply to this attack, were:
> -- Snip --
>   [...] this attack requires that an attacker send you around a million pieces
>   of CMS encrypted email with attached receipt requests, that you respond with
>   a million receipts indicating to the attacker the exact details of why the
>   decrypt failed, that you reuse the same per-message key for each of those
>   million messages.

What on earth does this attack have to do with sending millions of messages?
It requires one message, and is considerably more plausible than applying the
Bleichenbacher attack to email (or would be, if it is wasn't prevented in
practice by compression).

- -- 
David Hopwood <>

Home page & PGP public key:
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5  0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see

Version: 2.6.3i
Charset: noconv