Only accepting e-mail from known parties
owner-cypherpunks@toad.com writes:
Eric Murray wrote:
| Where we're headed is mail filters with PGP imbedded (PGP 3 will | make this much easier) that check incoming mail for a valid signature | for certain PGP keyid/fingerprints and pass that mail along. | Other mail that doesn't match gets tossed into a 'junk' folder | or thrown away if you really don't want to talk to anyone that you | don't already know.
I agree with the assesment of where we may be going, but the technology is available now. (Marshall Rose uses it; if you want to get mail into his private mailbox, offer him some $ via imbedded FV authorizations in the mail, and it goes into his inbox. If he thinks it was worth his time, he doesn't charge you.)
Anyway, the code is defeintely available now. The back end is a little kludgy, but it was needed for an auto ley retreival script. This could easily be hacked to include a +pubring=$people line. The script gives you a keyid, which you can then use to filter on, ie: <shell script>
This is much better than nothing. This would stop the e-mail being sent to everyone who's ever posted to Usenet. I see a couple of attacks: 1. Alice only accepts signed e-mail from Bob. Carol receives a signed e-mail from Bob to Carol, sends 10,000 e-mails to Alice (via sendmail) with From: bob, same body+signature, possibly varying message-ids and subjects. 2. Alice only accepts signed e-mail from Bob. Carol, a rogue sysadmin, intercepts an e-mail from Bob to Alice, sends 10,000 more copies of it to Alice (via sendmail) with From: bob, possibly varying message-ids and subjects. As I keep pointing out, pgp-signing the body is not enough. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
As I keep pointing out, pgp-signing the body is not enough.
You're wrong. You can setup Procmail to detect if something is signed with PGP, and if it is, to run a script which determines the authenticity of the signature. If the signature is not authentic, the message goes to /dev/null. That way, even if Carol is using intercepted messages from Bob, Carol's messages won't be accepted or seen. xan jonathon grafolog@netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 **********************************************************************
Jonathan Blake <grafolog@netcom.com> writes:
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
As I keep pointing out, pgp-signing the body is not enough.
You're wrong.
I'll be delighted if someone convinces me that I'm wrong about this. I may even start using PGP signatures. :)
You can setup Procmail to detect if something is signed with PGP, and if it is, to run a script which determines the authenticity of the signature. If the signature is not authentic, the message goes to /dev/null. That way, even if Carol is using intercepted messages from Bob, Carol's messages won't be accepted or seen.
Carol needn't put her real name in the "From:" line. Much of the unsolicited commercial junk e-mail comes from bogus addresses. I said, Carol can *forge* the RFC 822 header, so her e-mails look like they came from Bob, and use the body from Bob's authentic PGP-signed message. For example, Bob may have once sent Carol an e-mail that looked like this: ----------------------------------------------------------------------- From: Bob To: Carol Date: 25 Dec 1965 Subject: Carol, we're history Message-ID: <111@bob> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- "Ask not what your country can do to you, but what you can do to your country" ----------------------------------------------------------------------- Carol can *easily* forge an e-mail to Alice that looks like this: ----------------------------------------------------------------------- From: Bob To: Alice Date: 25 Dec 1995 Subject: Alice, we're history Message-ID: <222@bob> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- "Sex with Carol was the greatest sex I've ever had" ----------------------------------------------------------------------- The e-mail is sent by Carol, but the RFC 822 header says "From: Bob". If you think this is hard to accomplish, take a look, e.g., at the source code the Lance Cotrell's mixmaster and see how it talks to sendmail. The PGP-signed portion is copied verbatim from an authentic message. Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures. E.g., this trick could be used to mailbomb someone with many copies of the same authentic e-mail. That's because PGP only signed a portion of the body, not the important headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig. Happy holidays, --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Dr. Dimitri Vulis wrote: | I said, Carol can *forge* the RFC 822 header, so her e-mails look like they | came from Bob, and use the body from Bob's authentic PGP-signed message. Yes, this is possible. No, I'm not going to take the time to write a fix now, but, we both know its not tough to prevent. Take the hash of the pgp signed message, use it to filter on. I'll occaisonally add text outside a signature (literally, a postscript), so filtering out everything outside the signed text is a bad idea. You might get a few spams, but not hundreds. Its tough to ensure that mail always has an envelope that matches the key. I still use a key that say adam@bwh.harvard.edu, but most of my mail is signed with an adam@homeport.org key. Cryptography can't solve social problems. It can, however, transform them into tougher problems for the anti-social. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Dr Dimitri Vulis: On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
Jonathan Blake <grafolog@netcom.com> writes:
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
I'll be delighted if someone convinces me that I'm wrong about this. I may even start using PGP signatures. :)
When I get the bugs out of the procmail script I'm writing, to accomplish this, I'll send it to you.
I said, Carol can *forge* the RFC 822 header, so her e-mails look like they came from Bob, and use the body from Bob's authentic PGP-signed message.
Strip out everything that is not header information, and is not signed with pgp. You could even strip out all header information, except for who sent the message. That you need, so you know who to respond to.
The e-mail is sent by Carol, but the RFC 822 header says "From: Bob". If you think this is hard to accomplish, take a look, e.g., at the source
Forged signatures are not that difficult to accomplish.
The PGP-signed portion is copied verbatim from an authentic message.
This is a good point. However, won['t most messages have the name of the intended recipient inside the PGP signature lines? Regardless, you've stated a weakness that I hadn't realized existed.
Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures.
I'll have to give this some thought. Have the script match the from id, with the message id. << Not sure how I can do this one, yet. >>
That's because PGP only signed a portion of the body, not the important headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig.
The Header won't be signed by PGP. That part I will concede. The signature might be signed by PGP, depending on what one is using to read & respond to email with. With SLMR can sign signatures. << Granted, it is for DOS, and is geared towards FidoNet conferences. And I had to right a batch file to call the editor, then the program to attach the signature, then sign the thing. But the signature was included in the signed part of the pgp message. >> xan jonathon grafolog@netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 **********************************************************************
(No, this is not Jonathan Blake; see .sig below :) Jonathan Blake <grafolog@netcom.com> writes:
When I get the bugs out of the procmail script I'm writing, to accomplish this, I'll send it to you.
I'd be very interested. I may even use it, if it works. :) I like Adam Shostak's suggestion regarding caching hashes of signed portions of incoming e-mail. If the filter is going to keep track of e-mail history, then another possible useful feature would be to limit the number of e-mails accepted from a given party (even distinict). "You mail is being returned to you because you're only authorized to send 10 e-mails here in a 24-hour period". Heh.
However, won['t most messages have the name of the intended recipient inside the PGP signature lines?
Not necessarily. Most e-mails say something like "Dear Alice," but not all. I wish the important headers were included in the signed portion. Here's another variant of the same attack: Bob sends Alice a PGP-signed e-mail. Alice posts a Usenet forgery, making it look like it came from Bob, and using the same PGP-signed body.
Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures.
I'll have to give this some thought. Have the script match the from id, with the message id. << Not sure how I can do this one, yet. >>
It's a piece of cake to forge the message-id to match the forged "From:". In fact, I'll do just that in this article, and I bet it'll take me less than a minute. Besides, your message-id doesn't match your host. :) I'm off to teach C++ now. (Yes, on Xmas) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
As I keep pointing out, pgp-signing the body is not enough.
You're wrong.
He's right.
You can setup Procmail to detect if something is signed with PGP, and if it is, to run a script which determines the authenticity of the signature. If the signature is not authentic, the message goes to /dev/null. That way, even if Carol is using intercepted messages from Bob, Carol's messages won't be accepted or seen.
Ok. If I want to get my email ad for the Ronco turnip-twaddler past a filter like that, all I need to do is to create a PGP key with a user name that's the same as one that the victim already receives. i.e. if I know that joe@blort.com exchanges email with phred@none.net, then I just create a PGP key with the name "phred@none.net", and sign the turnip-twaddler ad with that. It'd have a valid signature, and one coming from Joe's friend phred. Mail accepted. In addition to checking for a valid signature, the filtering software would have to also check the PGP key id of the key used. It would also need to make sure that there is ONLY PGP-signed content in the mail. Otherwise Mallet could grab an innocuous mail message that Phred signed and included it at the bottom of the turnip-twaddler ad. It wouldn't make sense (although that might be usual with Phred), but it'd contain a valid signature from Phred, and therefore get the ad past the filter. I'm sure there's other caveats, these are just the ones I can think of now. I wish all Cypherpunks a Merry Christmas. I hope Santa brought you all something nice, like a fast new stream cipher, a new key exchange protocol, or maybe a note from the Fedz saying that ITAR has been lifted. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
Erik: On Mon, 25 Dec 1995, Eric Murray wrote:
On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
Ok. If I want to get my email ad for the Ronco turnip-twaddler past a filter like that, all I need to do is to create a PGP key with a user name that's the same as one that the victim already receives.
i.e. if I know that joe@blort.com exchanges email with phred@none.net, then I just create a PGP key with the name "phred@none.net", and sign the turnip-twaddler ad with that. It'd have a valid signature, and one coming from Joe's friend phred. Mail accepted.
But will the signature match that of phred@none.net's PGP key. I doubt it.
In addition to checking for a valid signature, the filtering software would have to also check the PGP key id of the key used. It would
To check a signature, you need the public key the signature was created with. You allready have phred@none.net's public key on your keyring. If that key does not demonstrate an authentic signature for the messge, then the message is a fake. Now, if you assume that your keyring has been compromised, then you can also check the signatures of who signed the keys. At a minimu, your signature should be on the authentic key. If it is missing, then you can place the message in a "suspected to be forged bin", or just send it to dev/null, unread.
also need to make sure that there is ONLY PGP-signed content in the mail. Otherwise Mallet could grab an innocuous mail message that
I hadn't thought of that, but here is one solution. Run a perl script that automatically deletes everything that is not signed by pgp, with the exception of the date, the sender, and the subject line.
I'm sure there's other caveats, these are just the ones I can think of now.
Let's figure out some more threat models. And how to counter them. Man in the middle --- he has your public key, joe@none.net's public key, and access to both your pbulic ring, and joe@none.net public ring. I don't know know how to counter this one using filters with perl --- yet. xan jonathon grafolog@netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 **********************************************************************
Jonathan Blake wrote: | > also need to make sure that there is ONLY PGP-signed content in the | > mail. Otherwise Mallet could grab an innocuous mail message that [...] | > I'm sure there's other caveats, these are just the ones I can think of now. | | Let's figure out some more threat models. And how to counter | them. | | Man in the middle --- he has your public key, joe@none.net's | public key, and access to both your pbulic ring, and | joe@none.net public ring. I don't know know how to counter | this one using filters with perl --- yet. The real threat model that Dimitri seems to be worried about is spammers, so lets address them. There are two types of spammers, commercial and personal. The commercial spammer wants to get messages into hundreds or thousands of mail boxes. The effort to do this, per mailbox, needs to be very low, or they go for people with worse filters. The personal spammer is more difficult, since they seek specifically to annoy you, and can thus be expected to expend more effort. They can possibly get a copy of each signed message that comes to you, but of course, you can cache filter them. A problem occurs if they can get their spam to you before the legit message, in which case you need to wade through tripe to get to the real message. The personal spammer is a social problem, and I recommend using social methods to fix it. An auto-responder that says "Please grow up" might do the trick. -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (5)
-
Adam Shostack -
dlv@bwalk.dm.com -
Eric Murray -
Jonathan Blake -
NOT Jonathan Blake