IETF Logo Mail Archive

Re: secure sign & encrypt

Derek Atkins <warlord@mit.edu> Wed, 22 May 2002 14:19 UTC

Received: from above.proper.com (mail.imc.org [208.184.76.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03846 for <openpgp-archive@odin.ietf.org>; Wed, 22 May 2002 10:19:04 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g4ME9J412947 for ietf-openpgp-bks; Wed, 22 May 2002 07:09:19 -0700 (PDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4ME9HL12942 for <ietf-openpgp@imc.org>; Wed, 22 May 2002 07:09:17 -0700 (PDT)
Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA21115; Wed, 22 May 2002 10:09:18 -0400 (EDT)
Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA05121; Wed, 22 May 2002 10:09:17 -0400 (EDT)
Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id KAA29722; Wed, 22 May 2002 10:09:17 -0400 (EDT)
Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id KAA06819; Wed, 22 May 2002 10:09:17 -0400 (EDT)
To: vedaal <vedaal@hotmail.com>
Cc: ietf-openpgp@imc.org
Subject: Re: secure sign & encrypt
References: <1F4F2D8ADFFCD411819300B0D0AA862E29ABE6@csexch.Conceptfr.net> <OE36KLVXfEFzotSkrpE000009ff@hotmail.com>
From: Derek Atkins <warlord@mit.edu>
Date: Wed, 22 May 2002 10:09:17 -0400
In-Reply-To: <OE36KLVXfEFzotSkrpE000009ff@hotmail.com>
Message-ID: <sjmptzoz33m.fsf@kikki.mit.edu>
Lines: 93
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

How is the receiver supposed to know what the delta-t is?
How do you deal with different machines of different speeds?
What if the sender is a PalmPilot and the receiver is a Pentium-4 3GHz?
There is absolutely no consistency in the time.

Worse, an attacker who wants to re-send the message already knows what
the original delta-t is, and can add it to any new packets they
create.

Even putting a timestamp into the ESK to enforce "ESK time == Sig
Time" doesn't help you, because there is no way to verify the
timestamp on other ESKs (to see if they've been added).  All you know
is that "This message was encrypted by someone who was able to see the
original" (which could be the sender, or could be one of the
"original" receipients.

No, the best way around this problem is the USER INTERFACE and
EDUCATION.  If you receive a signed message that looks like:

  --- begin message ---
  To: peter, paul, mary
  Subject: Hi
  Date: <now>

  I QUIT!  Have a nice day!
  --- begin signature ---
  <stuff>
  --- end signature ---

(Or think of the same type of message but signed and encrypted)..

Notice how the original recipients are part of the signed message?  If
this gets forwarded to another person, they would know that they were
not an intended recipient.  You cannot change that without
invalidating the signature.

-derek

"vedaal" <vedaal@hotmail.com> writes:

> ----- Original Message -----
> From: "Terje Braaten" <Terje.Braaten@concept.fr>
> To: "OpenPGP (E-mail)" <ietf-openpgp@imc.org>
> Sent: Wednesday, May 22, 2002 6:51 AM
> Subject: RE: secure sign & encrypt
> 
> [...]
> > > If there could be a packet added linking the time of
> > > encryption to the time
> > > of signing,
> > > {including elapsed time in seconds [or 0.00x seconds], and
> > > therefore not
> > > attackable by trying to re-set the re-encrypting
> > > computer to the time recorded in the original signed message.}
> >
> > I do not understand how you intend this packet to be added.
> > If it is a signature packet, would not the changes to be done
> > be about the same as if we added an 'encrypted to' packet?
> 
> Yes,     it could be done your way too, with about the same amount of
> change.
> 
> I thought that a packet that simply records the elapsed time in fractions of
> a second, between signing and encrypting,
> could be added without affecting the signature or encryption packets, and
> might be easier to implement without affecting
> backward compatiblity.
> 
> [...]
> 
> > If it is not a signature packet, I do not understand what would
> > keep the attacker from making a fake timestamp when re-encrypting the
> > message.
> 
> It would be an 'record of actual elapsed time' packet,  measured from the
> time the program calls for the time of signing,
> to the time it calls for encrypting.  It would not be 'calculated' by
> measuring the recorded (old) timestamp of the signature,
> and then re-setting the attacker's computer to the same time and measuring
> the fractions of seconds till the encryption.
> 
> { i do not yet know how to read and write code :(  , so it is only my
> opinion of what seems plausibly 'do-able' ,
> it may be that it has flaws that experienced programmers can instantly see,
> if so, i apologize in advance}
> 
> --vedaal

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

v2.23.0 | Report a Bug | By Email