Re: PGP Signed Messages

From: Wraith Slayer (wraithslayerat_private)
Date: Mon Oct 15 2001 - 17:47:27 PDT

Next message: Stephen Waters: "Re: PGP Signed Messages"

Previous message: White Vampire: "Re: PGP Signed Messages"
In reply to: [Segmen]: "PGP Signed Messages"
Next in thread: Dennis V. Kudin: "Re: PGP Signed Messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Actually, I've just checked this and from what I can see, or rather,
what I cannot, the second bit there doesn't pop up in the Secure
Viewer. Matter of fact, next to your email address, it says the
signer is invalid, although the Signature is Good. Or am I missing
something? I'm using 7.0.3 PGP on win2k.

Z


- ----- Original Message ----- 
From: "[Segmen]" <dontpanic999at_private>
To: <vuln-devat_private>; <bugtraqat_private>
Sent: Monday, October 15, 2001 8:27 AM
Subject: PGP Signed Messages


> It occurred to me today what a bad idea the Comment Field is in PGP
> signed messages. Altering the Comment filed does not affect the
> validity of the signature, but to the non experienced PGP/GPG user
> it certainly appears to be part of the message.
> 
> Example :
> 
> A generic message I could have got hold of :
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello, meeting cancelled, speak to you soon.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> 
> iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P
> 7gojqeCRqKqTkbFMkHCToxtq
> =lki3
> -----END PGP SIGNATURE-----
> 
> I could change this to :
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello, meeting cancelled, speak to you soon.
> 
> -----BEGIN PGP SIGNATURE-----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Please Send the Confidential Files from the planned meeting to
> My colleague Instead at meat_private . He will now be dealing with
> this matter.
> Speak to you soon, victim.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.3
> 
> iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P
> 7gojqeCRqKqTkbFMkHCToxtq
> =lki3
> -----END PGP SIGNATURE-----
> 
> well, you get the idea. The signature is still valid.
> 
> Agreed that only the beginner crypto user would fall for this, but
> if they were to read the message and then just use PGP to check the
> validity, they could be tricked into believing that the extra lines
> were part of the verified message.
> Does anybody else think this is quite a bad idea?
> 
> 
> --
> PGP Key ID : 0x897D43BA
> SDF Public Access UNIX System - http://sdf.lonestar.org
> UKChat - http://www.ukchat.com
> 
> 
> 
> _________________________________________________________
> Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO8uDnFEUvOACYhiTEQLKbgCfb2G9R0kjZz2ivvSHzFcufEDaUPcAoIWe
z0N4PqdHy/BxuEbrOiOwt55m
=Hc/5
-----END PGP SIGNATURE-----



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Stephen Waters: "Re: PGP Signed Messages"
Previous message: White Vampire: "Re: PGP Signed Messages"
In reply to: [Segmen]: "PGP Signed Messages"
Next in thread: Dennis V. Kudin: "Re: PGP Signed Messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 23:30:41 PDT