If you would, please send perhaps a breif "digest" of the thread. (Or the entire thing, if that's easier.)
The whole thread is much too long to post (and besides, it has nothing to do with bikinis or Fabio ;-) ). The gist of the problem seems to be that a signed cleartext message can be altered by adding spoofed text right after the BEGIN PGP SIGNED MESSAGE line. If the spoofed text is separated from the original text by a blank line or even a tab, PGP reports that the signature is good in spite of the added text. Apparently, the output file is a faithful version of the original message, but users who don't check that file might believe that the spoofed text was a part of the original message. I have not personally tried this yet, but the thread is full of comments from people who have, including some people who originally didn't believe it but later confirmed the existence of the problem themselves. The bug seems to be present in all versions (even the ViaCrypt versions have this problem). It has been reported as a bug to the MIT pgp-keepers. Caveat emptor. =D.C. Williams <dcwill@ee.unr.edu>
The bug seems to be present in all versions (even the ViaCrypt versions have this problem). It has been reported as a bug to the MIT pgp-keepers.
The "bug" looks like a deliberate design decision to me. Everything from the "--- BEGIN PGP" line to the first blank line is ignored, and is not considered part of the signed message. There's a comment in the source code (file armor.c in the versions I checked), saying "Skip header after BEGIN line". --apb (Alan Barrett)
On Fri, 30 Sep 1994, Alan Barrett wrote:
The bug seems to be present in all versions (even the ViaCrypt versions have this problem). It has been reported as a bug to the MIT pgp-keepers.
The "bug" looks like a deliberate design decision to me. Everything from the "--- BEGIN PGP" line to the first blank line is ignored, and is not considered part of the signed message. There's a comment in the source code (file armor.c in the versions I checked), saying "Skip header after BEGIN line".
Yes, this was a deliberate design decision, most probably so the same code could be used to parse --- BEGIN PGP ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However, this is a _huge_ security hole, as it allows the nearly-undetectable modification of PGP-signed messages. Mike -- Michael Handler <grendel@netaxs.com> PGP public key available 1984: We're Behind Schedule Civil Liberty Through Complex Mathematics
Yes, this was a deliberate design decision, most probably so the same code could be used to parse --- BEGIN PGP ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However, this is a _huge_ security hole, as it allows the nearly-undetectable modification of PGP-signed messages.
It's nowhere near undetectable. When you ask pgp to check the signature, pgp writes the signed message to a file (or to stdout), and that output does not include the {header/junk/extra stuff} between the BEGIN line and the blank line. I don't like this bug/feature, but I don't see it as a serious security problem for users who are aware of it. I do think it could be a problem for users who are not aware of it, and who incorrectly assume that the "good signature" message means that the {header/junk/extra stuff} was part of the signed material. --apb (Alan Barrett)
participants (3)
-
Alan Barrett -
Dr. D.C. Williams -
Michael Handler