A scenario: 1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet. Whenever kiwi.cs.berkeley.edu sents out the pubring.pgp Eve intercepts it and replaces it with a file of the spooks' choosing. This file will selectively replace the public pgp keys of some of the remailers (say exon) in pubring.pgp with keys to which the spooks know the private key. 2) A similar bug is put on the link between the exon remailer and the internet. All email to exon is intercepted, and if found to be encrypted with the spooks' PGP key, it is decrypted, saved, re-encrypted with exon's real PGP key and sent on. It is only a scenario. I am still using premail to send this.
At 9:27 PM -0800 12/30/96, Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
Whenever kiwi.cs.berkeley.edu sents out the pubring.pgp Eve intercepts it and replaces it with a file of the spooks' choosing. This file will selectively replace the public pgp keys of some of the remailers (say exon) in pubring.pgp with keys to which the spooks know the private key.
(1) Protection against this scenario is what the signatures on the key are for. (2) Nomenclature quibble: It would have to be Mallory, not Eve. Eve can only listen. Mallory is a lot more dangerous because he can alter/delete/insert messages as well as listen. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA
frantz@netcom.com (Bill Frantz) wrote:
At 9:27 PM -0800 12/30/96, Anonymous wrote:
A scenario:
1) The spooks put a bug (named Eve) on the link between kiwi.cs.berkeley.edu and the Internet.
(2) Nomenclature quibble: It would have to be Mallory, not Eve. Eve can only listen. Mallory is a lot more dangerous because he can alter/delete/insert messages as well as listen.
My mistake. Long time since I read Applied Cryptography, and that too only partially.
(1) Protection against this scenario is what the signatures on the key are for.
Unfortunately, premail doesn't check the signatures. The only signatures that pgp can recognize and verify are the self signatures (easy to spoof). Note that even if the public keys of other signatories are included in the pubring (unlike now), it will still be easy to spoof the signatures if one can alter the pubring. The only safe way is to have a public key generated by Raph included in the premail distribution and then sign the pubring.pgp file at kiwi.cs.berkeley.edu, and/or its individual keys with it. Here are three experments, all of which I did. The results are eye-opening. 1) Run premail with +debug=rv . pgp will warn about not being able to verify signatures. 2) Do a pgp -kvv ~/.premail/pubring.pgp. You will see that all signatures are either self-signatures or are unverifiable by pgp. 3) Do the following (lines starting with % are C shell commands. Lines starting with # are comments. Don't enter them directly.) % mkdir /tmp/k % setenv PGPPATH /tmp/k % cp ~/.premail/pubring.pgp /tmp/k # Remove exon's key % pgp -kr remailer@remailer.nl.com /tmp/k/pubring.pgp # Make a new key for exon. # When pgp prompts for user-id enter # Senator Exon <remailer@remailer.nl.com> # You may want to specify the lowest key size, 384, for convenience, and # an easy passphrase such as `exon'. % pgp -kg # Make a mail file. % cat > /tmp/k/mail <<! To: nobody@nowhere.at.all ((chain=exon)) Subject: A test. Is this really encrypted for Senator Exon, or for the spooks? ! # Backup your ~/.premail/pubring.pgp % cp ~/.premail/pubring.pgp ~/.premail/pubring.pgp.BAK # Now premail the mail file. # You have two choices. # If you have lynx installed, use this command. And make sure # that enough time has expired since the last time you ran premail, # so it is forced to download the pubring. # This command is one line. It might have been folded by your mail reader, # so unfold it. % premail +storefile=/tmp/k/mailout.pgp +debug=rv +pubring-url=file:/tmp/k/pubring.pgp -t < /tmp/k/mail # If you don't have lynx, just manually copy the pubring file to your # .premail directory, and then run premail as follows. This time, make # sure that premail doesn't download the pubring file, by not giving it # enough time since you last ran it. # The cp and the premail are both one line commands. Correct any folding. % cp /tmp/k/pubring.pgp ~/.premail % premail +storefile=/tmp/k/mailout.pgp +debug=rv -t < /tmp/k/mail # Now see if you, the spook, can decrypt the file that normally premail # would have send off to exon, blissfully unaware that the spooks are waiting # to catch it. # Use the pass phrase you chose when you did the pgp -kg step above. % pgp /tmp/k/mailout.pgp % cat /tmp/k/mailout # Gee. Looks like the spooks got your mail, huh? # If you can't decrypt /tmp/k/mailout.pgp the premail step used a different # pubring than /tmp/k/pubring.pgp. Make sure /tmp/k/pubring.pgp and # ~/.premail/pubring.pgp are identical, remove /tmp/k/mailout.pgp and # run premail again. # Restore everything. % mv ~/.premail/pubring.pgp.BAK ~/.premail/pubring.pgp % unsetenv PGPPATH % rm -rf /tmp/k # Convinced?
participants (3)
-
Bill Frantz -
Liz Taylor -
nobody@replay.com