A scenario: 1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet. Whenever kiwi.cs.berkeley.edu sents out the pubring.pgp Eve intercepts it and replaces it with a file of the spooks' choosing. This file will selectively replace the public pgp keys of some of the remailers (say exon) in pubring.pgp with keys to which the spooks know the private key. 2) A similar bug is put on the link between the exon remailer and the internet. All email to exon is intercepted, and if found to be encrypted with the spooks' PGP key, it is decrypted, saved, re-encrypted with exon's real PGP key and sent on. It is only a scenario. I am still using premail to send this.
At 9:27 PM -0800 12/30/96, Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
Whenever kiwi.cs.berkeley.edu sents out the pubring.pgp Eve intercepts it and replaces it with a file of the spooks' choosing. This file will selectively replace the public pgp keys of some of the remailers (say exon) in pubring.pgp with keys to which the spooks know the private key.
(1) Protection against this scenario is what the signatures on the key are for. (2) Nomenclature quibble: It would have to be Mallory, not Eve. Eve can only listen. Mallory is a lot more dangerous because he can alter/delete/insert messages as well as listen. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA
frantz@netcom.com (Bill Frantz) wrote:
At 9:27 PM -0800 12/30/96, Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
(2) Nomenclature quibble: It would have to be Mallory, not Eve. Eve can only listen. Mallory is a lot more dangerous because he can alter/delete/insert messages as well as listen.
My mistake. Long time since I read Applied Cryptography, and that too only partially.
(1) Protection against this scenario is what the signatures on the key are for.
Unfortunately, premail doesn't check the signatures. The only signatures
that pgp can recognize and verify are the self signatures (easy to spoof).
Note that even if the public keys of other signatories are included
in the pubring (unlike now), it will still be easy to spoof the signatures
if one can alter the pubring. The only safe way is to have a public key
generated by Raph included in the premail distribution and then sign the
pubring.pgp file at kiwi.cs.berkeley.edu, and/or its individual keys with it.
Here are three experments, all of which I did. The results are eye-opening.
1) Run premail with +debug=rv . pgp will warn about not being able to
verify signatures.
2) Do a pgp -kvv ~/.premail/pubring.pgp. You will see that all signatures
are either self-signatures or are unverifiable by pgp.
3) Do the following (lines starting with % are C shell commands. Lines
starting with # are comments. Don't enter them directly.)
% mkdir /tmp/k
% setenv PGPPATH /tmp/k
% cp ~/.premail/pubring.pgp /tmp/k
# Remove exon's key
% pgp -kr remailer@remailer.nl.com /tmp/k/pubring.pgp
# Make a new key for exon.
# When pgp prompts for user-id enter
# Senator Exon
participants (3)
-
Bill Frantz
-
Liz Taylor
-
nobody@replay.com