Dr Dimitri Vulis: On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
Jonathan Blake <grafolog@netcom.com> writes:
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
I'll be delighted if someone convinces me that I'm wrong about this. I may even start using PGP signatures. :)
When I get the bugs out of the procmail script I'm writing, to accomplish this, I'll send it to you.
I said, Carol can *forge* the RFC 822 header, so her e-mails look like they came from Bob, and use the body from Bob's authentic PGP-signed message.
Strip out everything that is not header information, and is not signed with pgp. You could even strip out all header information, except for who sent the message. That you need, so you know who to respond to.
The e-mail is sent by Carol, but the RFC 822 header says "From: Bob". If you think this is hard to accomplish, take a look, e.g., at the source
Forged signatures are not that difficult to accomplish.
The PGP-signed portion is copied verbatim from an authentic message.
This is a good point. However, won['t most messages have the name of the intended recipient inside the PGP signature lines? Regardless, you've stated a weakness that I hadn't realized existed.
Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures.
I'll have to give this some thought. Have the script match the from id, with the message id. << Not sure how I can do this one, yet. >>
That's because PGP only signed a portion of the body, not the important headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig.
The Header won't be signed by PGP. That part I will concede. The signature might be signed by PGP, depending on what one is using to read & respond to email with. With SLMR can sign signatures. << Granted, it is for DOS, and is geared towards FidoNet conferences. And I had to right a batch file to call the editor, then the program to attach the signature, then sign the thing. But the signature was included in the signed part of the pgp message. >> xan jonathon grafolog@netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 **********************************************************************