A weakness in PGP signatures, and a suggested solution

Derek Atkins warlord at ATHENA.MIT.EDU
Wed Jan 17 21:03:43 PST 1996


> Your PGP-aware mail agent should add a line to the text to be
> encrypted, consisting of a random number (hopefully very unguessable
> and fairly random) and an RFC822 header:
> 
> X-PGP-nonce: b1de70694f5f0824f89cb3f09aece01d
> 
> and replicate that in the RFC822 envelope.
> Put just the nonce value and not the header in the block to be
> encrypted if you're concerned about assisting a known-plaintext attack.

Actually, that doesn't work either -- if I wanted to forward the
message you sent me to someone else to make them think that you sent
it to them, I could just take the nonce and put that in the header of
my forwarded message and it would match...

No, you need to include the "to" and "cc" fields as well inside the
signed message.  But again, the MUA should do this, not PGP.

-derek






More information about the cypherpunks-legacy mailing list