> * Bob can abuse the secure e-mail protocol to re-encrypt > and resend Alice's message to Charlie; This is abuse of the order in which signing and encryption take place - ie encrypt(sign(message)) this implies you can extract sign(message) from the outer envelope, and then send recrypt(sign(message)) and have it accepted as valid. (which is of course true) however, I fail to see how this would differ from a physical envelope and a signed note - if alice had written "The deal is off." on a piece of headed paper, and signed it, then sent it to Bob, he could indeed re-enclose that in another envelope and send it to charlie. however, just as you would not sign a piece of paper that says simply "I agree to the contract" you would not logically sign a note cancelling a deal, unless you include sufficient text to make it unambigous - a signed note with "Bob, I have thought over the contract for your services, and decided not to go ahead with it" would be of no value to Bob for this purpose. PGP places signature inside encryption for a reason - not only (deliberately) so you can extract sign(message) with the signature intact, but to hide the identity of the signer from those who can't decrypt the outer wrapper. > * Bob abuses the secure e-mail protocol to re-encrypt and > resend Alice's sales-plan, with her digital signature, > to a rival company's salesman Charlie. In this case, if Alice were to sign this at all, she should sign after encryption - thus giving sign(encrypt(message)) - given that asymmetric encryption is to a specified person or persons, recrypt(message) would not implicate Alice (as the signature has been discarded) > * Charlie brags openly about getting the sales plan from > Alice. When he's accused in court of stealing the plan, > Charlie presents Alice's secure e-mail as evidence of > his innocence. The real question here is - how long would it take an Expert Witness (and *I* would hire one quick enough if this got to court) to duplicate the message by taking an unencrypted but digitally signed copy of the document and simply wrapper-encrypting it to Charlie? > Surprisingly, standards-compliant secure-mail clients will > not detect these attacks. That is because it isn't an attack - you are confusing the envelope with the contents. The reason these "attacks" work is *because* sign is a separate operation to encrypt - I have signed executables from several software authors downloaded from the web. if I encrypt those and send them to someone, I do not somehow create a message from that author to that person - I am simply forwarding a signed object. If the security problem is that encrypt(sign(message)) is being interpreted wrongly as "signer sent this message to encryption target) then you need to attack that assumption, not the system.
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 19:27:12 PDT