linux, säkerhet

6661250 2001-06-23 00:48 -0500  /25 rader/ Don Davis <dtd@world.std.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-24  17:27  av Brevbäraren
Extern mottagare: dtd@world.std.com
Mottagare: Bugtraq (import) <17589>
Ärende: crypto flaw in secure mail standards
------------------------------------------------------------
From: Don Davis <dtd@world.std.com>
To: dtd@world.std.com
Message-ID: <l03110703b759dcbe54c3@[208.192.102.49]>

> All current secure-mail standards specify, as their
> "high-security" option, a weak use of the public-key
> sign and encrypt operations. ...

i've received permission from usenix to release the
paper on saturday (6/23):

http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html

				- don davis, boston
				  http://world.std.com/~dtd





-
(6661250) /Don Davis <dtd@world.std.com>/-----------
6661312 2001-06-23 11:07 +0200  /82 rader/ Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-24  17:54  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <17591>
Kommentar till text 6657620 av Don Davis <dtd@world.std.com>
Ärende: Re: crypto flaw in secure mail standards
------------------------------------------------------------
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <tgpubvlg2q.fsf@mercury.rus.uni-stuttgart.de>

Don Davis <dtd@world.std.com> writes:

> Suppose Alice and Bob are business partners, and are setting
> up a deal together.  Suppose Alice decides to call off the
> deal, so she sends Bob a secure-mail message: "The deal is off."
> Then Bob can get even with Alice:
> 
>   * Bob waits until Alice has a new deal in the works
>     with Charlle;
>   * Bob can abuse the secure e-mail protocol to re-encrypt
>     and resend Alice's message to Charlie;
>   * When Charlie receives Alice's message, he'll believe
>     that the mail-security features guarantee that Alice
>     sent the message to Charlie.
>   * Charlie abandons his deal with Alice.

This is a classic replay attack, but the protocol being attacked is
not a computer protocol.  That's why you shouldn't sign generic
statements such as 'The deal is off.' (or random insults without
specific names, for another example) in the first place.

With suitable user agents (e.g. mutt in conjuction with GnuPG),
Charlie will notice that Alice has signed the message *before* the
negotiations with Charlie have begun.

> Suppose instead that Alice & Bob are coworkers.  Alice uses
> secure e-mail to send Bob her sensitive company-internal
> sales plan.  Bob decides to get his rival Alice fired:
> 
>   * Bob abuses the secure e-mail protocol to re-encrypt and
>     resend Alice's sales-plan, with her digital signature,
>     to a rival company's salesman Charlie.
>   * Charlie brags openly about getting the sales plan from
>     Alice.  When he's accused in court of stealing the plan,
>     Charlie presents Alice's secure e-mail as evidence of
>     his innocence.

Even here, the time difference between signing and sending could be an
indication that someone is playing wrong.

With OpenPGP, in both cases, the creation time information contained
in the signature packet is protected by the digital signature, so Bob
cannot change it before forwarding the message to Charlie.  As far as
I recall, in the encryption packet, no encryption time is stored, so
it's not possible for user agents to mistake the encryption time for
the signature creation time.

It is surprising that creation time information which is *not*
provided by a trusted timestamping authority is sufficient to defeat
such attacks or at least make them more complicated.

> Surprisingly, standards-compliant secure-mail clients will
> not detect these attacks.

Have you looked at the OpenPGP/MIME specification draft?  It considers
the flaw a feature.  PGP 2.x has an explicit command line option which
permits to extract the data and signature from an encrypted message,
so that the signature can still be verified.  There's a patch for
GnuPG which implements completely transparent reencryption.

Forwarding digitally signed messages even if you've received them
encrypted can make sense.  Reencrypting mailing lists (with one list
keys and individual subscriber keys) need this, and there are more
applications to it.

In short, I don't think this is a protocol flaw, it's just yet another
misunderstanding of the meaning of a digital signature.  OpenPGP does
not aim at preventing the receiver from leaking the transmitted
message.  (For what it's worth, both the OpenPGP syntax and
OpenPGP/MIME permit the sender to encrypt first and sign afterwards,
but that's not the default with most implementations.)

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
(6661312) /Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>/
6661341 2001-06-23 10:57 +0100  /28 rader/ David Howe <DaveHowe@bigfoot.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-24  18:07  av Brevbäraren
Extern mottagare: Lyal Collins <lyalc@ozemail.com.au>
Extern mottagare: Email list : Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Mottagare: Bugtraq (import) <17592>
Ärende: Re: crypto flaw in secure mail standards
------------------------------------------------------------
From: "David Howe" <DaveHowe@bigfoot.com>
To: "Lyal Collins" <lyalc@ozemail.com.au>,
 "Email list : Bugtraq" <BUGTRAQ@SECURITYFOCUS.COM>
Message-ID: <004b01c0fbca$decb39c0$01c8a8c0@default>

"Lyal Collins" <lyalc@ozemail.com.au> wrote:
To: "David Howe" <DaveHowe@Bigfoot.com>; <bugtraq@securityfocus.com>
> One significant issue is that an expert witness can cast doubt, not
> only on the digital signature in question,  but upon _every_ digitally
> signed document each party received.
  Yes - An expert witness should (and presumably would) reduce the
document to just its signed portion and say "this, and only this, is
what Alice signed; there is no evidence who sent this where, as that
was done after the document was signed"
  Provided the *signed* (and timestamped) portion of the
message/document supports the case, there is no doubt cast - A
document that clearly states exactly what Alice wanted to say,
including the recipient, would only be a few characters more (not
even the ID of the recipient is needed, just his name or email
address)
  Users find technology far too convenient; few if any of them would
place a legally binding signature on a paper document containing a
simple statement (such as "I agree to the terms of our contract") but
many seem to believe it is ok to make digital signatures saying the
same things... What is needed is increased User awareness "you are
signing this document and it will be legally binding - are you sure
it says what you want it to unambiguously?"  not technological fixes.
(6661341) /David Howe <DaveHowe@bigfoot.com>/(Ombruten)