1994-09-30 - RE: PGP hole

Header Data

From: Jonathan Adams <jonathan@memex.com>
To: cypherpunks@toad.com
Message Hash: d2e6216bb11716f60e2346c9193abbaa538678243cd9de7c577348c09e99c7c9
Message ID: <199409301410.HAA12750@mailhost.memex.com>
Reply To: N/A
UTC Datetime: 1994-09-30 14:32:33 UTC
Raw Date: Fri, 30 Sep 94 07:32:33 PDT

Raw message

From: Jonathan Adams <jonathan@memex.com>
Date: Fri, 30 Sep 94 07:32:33 PDT
To: cypherpunks@toad.com
Subject: RE: PGP hole
Message-ID: <199409301410.HAA12750@mailhost.memex.com>
MIME-Version: 1.0
Content-Type: text/plain


Alan Barret <barrett@daisy.ee.und.ac.za> wrote to Cypherpunks:
> > 	Yes, this was a deliberate design decision, most probably
> > so the same code could be used to parse --- BEGIN PGP
> > ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However,
> > this is a _huge_ security hole, as it allows the nearly-undetectable
> > modification of PGP-signed messages.
> 

> It's nowhere near undetectable.  When you ask pgp to check the
> signature, pgp writes the signed message to a file (or to stdout),
> and that output does not include the {header/junk/extra stuff}
> between the BEGIN line and the blank line.

The problem is, if you are using an interface to PGP, most of the time  
they use PGP in batchmode to check the signature, and they don't let you  
see the output. This means people go "Check the signature", PGP says "Good  
signature found", and they think that it has never been modified. This is  
a security hole. Not everyone uses PGP to do everything from the command  
line. Plus, using lines with only a tab in them, it's possible to add  
seperated paragraphs and "normal-looking" text.

> I don't like this bug/feature, but I don't see it as a serious
> security problem for users who are aware of it.  I do think it
> could be a problem for users who are not aware of it, and who
> incorrectly assume that the "good signature" message means that
> the {header/junk/extra stuff} was part of the signed material.
> 

> --apb (Alan Barrett)

Here's an example:

-----BEGIN PGP SIGNED MESSAGE-----
	
Note that this paragraph was added *AFTER* this message was digitally  
signed.
Note also that the line above this paragraph contains *1* tab. Using this,  
it's possible to add as much stuff to the beginning of a clearsigned  
message as you want, with it looking completely natural, and checking  
fine. This *IS* a security hole.
	
This para was also added later.

Test message

My public key follows, after this signed message:

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLowcCDidu+MSuAG5AQFpgQP7B1K5uKAQBEdmAxuNGJAvl97GWYlU9miv
HbBQbkPo5C6BsbaJvbzxplZE2YN98bWO2IhMOJdNfywaCuWnQFJGcRcZiGvDqyqc
0vQj0qhy37KPBp1CjrEf76neCjyOL4bWtz+BrF9tru8O7olGv61fGASpkpjL46Zg
bFtb8UP0kV4=
=D3M0
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.1

mQCVAy5s+KsAAAEEAMp5v1Q/6kqmN3ZFejiBrK1rAgCH0jM/QUHXSbf2wkCCeE4g
Slzp93pIhez6EJasdJFdp/QafO3nTKFjZ9ZZTClnPeMFjlATuJoA/gLsPuoRgRxv
2n9UWkw1eNg8cprfdK/C4oO53Sd4DxrctBHW1enVFMB4TeuLqzidu+MSuAG5AEYg
AAAAAAAAAAO0J0pvbmF0aGFuIFcuIEFkYW1zIDxqb25hZGFtc0BuZXRjb20uY29t
PokAdQMFEC5s+Qw2D9BFC0YeTQEBETAC/1+fw55S1hMBCv5vMOlGlbVSYcaf9QFz
6RnJG4hDXzVPii/PxZf9w5sXraZr39a/OW09sMPdszLlyPfR8zsihd4j4qCnLAjI
v16XKU1ft85DEHjpwQFhWnYNCFSeGX5VU4kAlQMFEC5s+O84nbvjErgBuQEBXRYD
/Ave3Uoc3GRfv/995Yz0RQDUmi4JRzo749dVtXBatODo1vr2209+fHVGu+IZtRx2
WCUKY9YSQr95XJuqxFsfBpdQ6pAyxov5kfecrE2uDrBqlQBCs4IAnMnZeE5FD1Cd
d28qEO2sKAimqJjtcJNvYOr7aL2AFKjXqP1B+wD3Lnn+
=Cqf1
-----END PGP PUBLIC KEY BLOCK-----







Thread