1996-01-11 - Re: A weakness in PGP signatures, and a suggested solution (long)

Header Data

From: Jeffrey Goldberg <cc047@Cranfield.ac.uk>
To: dlv@bwalk.dm.com
Message Hash: b8bf539c1aa3a1a5761acc6ee11ecbd3ce1c2458ff0c2d154f7980f49ff29ff4
Message ID: <Pine.ULT.3.91.960110182255.18692H-100000@xdm011>
Reply To: <199601030407.UAA12551@comsec.com>
UTC Datetime: 1996-01-11 17:18:32 UTC
Raw Date: Thu, 11 Jan 96 09:18:32 PST

Raw message

From: Jeffrey Goldberg <cc047@Cranfield.ac.uk>
Date: Thu, 11 Jan 96 09:18:32 PST
To: dlv@bwalk.dm.com
Subject: Re: A weakness in PGP signatures, and a suggested solution (long)
In-Reply-To: <199601030407.UAA12551@comsec.com>
Message-ID: <Pine.ULT.3.91.960110182255.18692H-100000@xdm011>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

[I am posting this to exactly the same groups that the original was posted
 to.  If someone feels that the distribution should be more limited please
 restrict the follow-ups.  I have also mailed a copy to the original 
 poster.]

On Wed, 27 Dec 1995, Dr. Dimitri Vulis wrote:

> Bob once sent Carol an e-mail that looked like this:
> 
> -----------------------------------------------------------------------
> From: Bob@boxb
> To: Carol@boxc
> Date: 25 Dec 1965
> Subject: Carol, we're history
> Message-ID: <111@boxb>
> 
> ----BEGIN PGP SIGNED MESSAGE----
> 
> I no longer wish to go out with you. Merry Christmas!
> 
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
> 
> 12341234...
> 
> ----END PGP SIGNATURE----
> 
> -----------------------------------------------------------------------
> 
> Carol can forge an e-mail to Alice that looks like this:
> 
> -----------------------------------------------------------------------
> From: Bob@boxb
> To: Alice@boxa
> Date: 25 Dec 1995
> Subject: Alice, we're history
> Message-ID: <222@bobb>
> 
> ----BEGIN PGP SIGNED MESSAGE----
> 
> I no longer wish to go out with you. Merry Christmas!
> 
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
> 
> 12341234...
> 
> ----END PGP SIGNATURE----

I have omitted the other scenarios for reasons of space.  All of
them are based on the fact that information about the intended
recipient (including newsgroup) is not part of the information signed.

I proposal is made for a mechanism to have some header information
signed as well.

I don't think that such a thing needs to be build into pgp, but might
be included in pgp/MUA interfaces.

I also think that the crucial lesson here is to take the analogy to
signature on paper more seriously.  Imagine that paper documents were
reproducible in a way that made the original indistinguishable from
copies.  Under search circumstances you would never sign something like:

   I agree to give you my house plus $30,000 in exchange for your house.
                                            (signature)

For the same reasons that you would never sign something like that (without
specifying the individuals and the properties in question), you shouldn't
sign an electronic when the interpretation of the document is a function
of whose hands its in.  As with the paper document, you would never
rely on its interpretation depending on the name on the envelope, you
shouldn't rely on the headers.

As for the recipient, the signature determines responsibility for the
signed portion, but not for the act of sending the document.

The only difference between paper and E-docs is that with paper there
is a distinction between the original and copies.

The lesson is not so much that we should change pgp, but that we should
pay very careful attention to what we sign. 

- -jeff

Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
 Cranfield Computer Centre      FAX         751 814
 J.Goldberg@Cranfield.ac.uk     http://WWW.Cranfield.ac.uk/public/cc/cc047/
      "An `alternative paradigm' is the first refuge of the incompetent" --LM


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by mkpgp, a Pine/PGP interface.

iQCVAgUBMPQNUBu6nIqxqP+5AQGHxgQAunhff6dV0eCXuVe6w+t0KWELlfjx3Iu4
SrKKo/DB+yWYDn+UVsFPyqvG64qmBxSaLLT95S3rbJEPklpRteN2+8Z94O5PxvL4
Q0OfGSX7oPN2Hwl3hkbjhwLWMpogcxfg6yle1SsqMCTMj3t8RAdmWD8DAQ9fEVzK
JdSdEXoc37s=
=21Kt
-----END PGP SIGNATURE-----





Thread