---------- Forwarded message ---------- Date: 22 Jun 2001 18:40:09 -0000 From: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu> To: cryptography@wasabisystems.com Subject: Re: crypto flaw in secure mail standards Don Davis writes,
All current secure-mail standards have a significant cryptographic flaw. There are several standard ways to send and read secure e-mail. The most well-known secure mail systems are PGP and S/MIME. All current public- key-based secure-mail standards have this flaw. Here are some examples of the flaw in action:
Suppose Alice and Bob are business partners, and are setting up a deal together. Suppose Alice decides to call off the deal, so she sends Bob a secure-mail message: "The deal is off."
The only thing protected in a signed message is that portion signed. Alice needs to say, "Bob, the deal is off." Actually this is not enough. Suppose Alice sends this, or equivalently suppose we use an encryption scheme similar to what David Hopwood describes where the inner signed portion includes the outer key. There can still be trouble. Suppose at some later time Alice and Bob negotiate a new contract, and Bob wants to get out of it. He pulls out this old message of Alice's and stamps a new date on it, claiming that it was with regard to their new contract negotiation. He says that Alice withdrew from the contract so he is not liable for any penalties. Again the problem is that only what is signed is protected. If the date is not signed, it is not protected. So the protocol has to include the date in the signature. (Actually I think most email encryption protocols do this, but the point is that the formal description of what is signed may not show that.) Only what is signed is protected. Even the date may not be enough. Suppose Alice and Bob are separately negotiating two different contracts, using a threaded mail reader which uses Reply-To: or some similar fields in the mail header so that exchanges with regard to one contract are shown separately from exchanges with regard to the other. Then Alice might send, "Bob, the deal is off," including a date in the signature, and expect it to apply just to the deal being negotiated in that thread, because that's how her mail software shows it. However Bob can take the message and claim that it applied to the other thread. In this case, other context that was in the minds of Alice and Bob is not being covered by the signature. This is really the general form of the issue being discussed. What is in the minds of the participants, what assumptions are they making that are not being written down? This is why we have lawyers and contracts and fine print. These institutions and practices are the result of centuries of people weaseling out of contracts in various ways. It is mistaken to think that we can solve this problem by a little cryptographic legerdemain involving copying a field from the outer encryption envelope into the inner signature. That does not begin to cover all of the things that can go wrong. The only real solution is to use the advice and experience of the legal system when negotiating a contract which will bind the parties. Make sure everything is written down and sign a document which is as clear, specific and free of ambiguity as possible. It's not a cryptographic issue, and failures of this kind are not cryptographic failures. Cryptography can't read the minds of the parties involved and know that all of their assumptions are included in the signed portion. The real solution is for the communicants to take the responsibility to put everything there that is needed. Only what is signed is protected. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com