1996-01-18 - Re: A weakness in PGP signatures, and a suggested solution

Header Data

From: Derek Atkins <warlord@ATHENA.MIT.EDU>
To: Eric Murray <ericm@lne.com>
Message Hash: f628b298f933a6ddfa473917ee94b96977bb204e3d34da26a7c2b5ad763c409a
Message ID: <199601180452.XAA26447@charon.MIT.EDU>
Reply To: <199601180442.UAA15648@slack.lne.com>
UTC Datetime: 1996-01-18 05:03:43 UTC
Raw Date: Thu, 18 Jan 1996 13:03:43 +0800

Raw message

From: Derek Atkins <warlord@ATHENA.MIT.EDU>
Date: Thu, 18 Jan 1996 13:03:43 +0800
To: Eric Murray <ericm@lne.com>
Subject: Re: A weakness in PGP signatures, and a suggested solution
In-Reply-To: <199601180442.UAA15648@slack.lne.com>
Message-ID: <199601180452.XAA26447@charon.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain


> Your PGP-aware mail agent should add a line to the text to be
> encrypted, consisting of a random number (hopefully very unguessable
> and fairly random) and an RFC822 header:
> 
> X-PGP-nonce: b1de70694f5f0824f89cb3f09aece01d
> 
> and replicate that in the RFC822 envelope.
> Put just the nonce value and not the header in the block to be
> encrypted if you're concerned about assisting a known-plaintext attack.

Actually, that doesn't work either -- if I wanted to forward the
message you sent me to someone else to make them think that you sent
it to them, I could just take the nonce and put that in the header of
my forwarded message and it would match...

No, you need to include the "to" and "cc" fields as well inside the
signed message.  But again, the MUA should do this, not PGP.

-derek





Thread