Bugtraq mailing list archives
Re: crypto flaw in secure mail standards
From: Gregory Steuck <greg () nest cx>
Date: Fri, 22 Jun 2001 11:11:41 -0700
The presented attacks look like a hybrid of replay and man in the middle attacks known for years. I do agree that problems are real and I am looking forward to reading your paper. Let me fatasize as to how this can be solved in PGP. One can include the key id of the intended recepient into the signed portion of the message. This will clearly state the intended recipient. Below I also propose user level solutions to the problems. On Fri, Jun 22, 2001 at 10:15:03AM -0500, Don Davis wrote:
Suppose Alice and Bob are business partners, and are setting up a deal together. Suppose Alice decides to call off the deal, so she sends Bob a secure-mail message: "The deal is off."
It is very unlikely that Alice won't include a salutation along the lines of: "Dear Bob". Which makes the message not very suitable for Charlie. Moreover doesn't PGP signature include a timestamp? (whether or not it is part of the signed message is the question I don't know the answer to)
Suppose instead that Alice & Bob are coworkers. Alice uses secure e-mail to send Bob her sensitive company-internal sales plan. Bob decides to get his rival Alice fired:
In this case I'm afraid Alice will have to be more careful and not sign the documents she doesn't have to. Why would she send a signed internal memo? Thanks Greg
Current thread:
- crypto flaw in secure mail standards Don Davis (Jun 22)
- Re: crypto flaw in secure mail standards Gregory Steuck (Jun 22)
- Re: crypto flaw in secure mail standards David Howe (Jun 22)
- Re: crypto flaw in secure mail standards Florian Weimer (Jun 24)
- <Possible follow-ups>
- crypto flaw in secure mail standards Don Davis (Jun 24)
- Re: crypto flaw in secure mail standards David Howe (Jun 24)
- Re: crypto flaw in secure mail standards Jim Halfpenny (Jun 25)
- Re: crypto flaw in secure mail standards Riad S. Wahby (Jun 24)
- Re: crypto flaw in secure mail standards Tollef Fog Heen (Jun 27)
- Re: crypto flaw in secure mail standards Richard Atterer (Jun 28)
- Re: crypto flaw in secure mail standards Robert Bihlmeyer (Jun 29)