[messaging] The Simple Thing

elijah elijah at riseup.net
Wed Sep 24 16:45:37 PDT 2014

On 09/24/2014 03:56 PM, Ximin Luo wrote:

> Efforts should still be made on UIs for this 2%, that reduce the cost
> of doing key validation. Then maybe 2% will slowly turn into 98%.


> Is one-sided MITM possible? If I am Bob and I am the 2% and I
> validate Alice's key, and I know my *own* key, then according to my
> own knowledge, both keys involved in the channel are valid and there
> should be no MITM?
> Alice does not know this of course, because she doesn't care. But
> this is different from your objection, where Bob's communication "is
> compromised". I don't think that can happen. Bob knows the
> communication is uncompromised, but Alice does not. As Bob, I am OK
> (the typical Bob should be OK) about Alice not knowing the
> communication is uncompromised, because I *do* know it.

In the case of OpenPGP, I thought that signatures on messages did not
include binding to the public keys of the recipients. In other words,
the sender signs the message text digest, appends to the message, and
then encrypts the whole thing with a symmetric session key, and the
session key is encrypted with the public key of the recipients.

If this is the case, then Alice could be fed a bogus key for Bob, which
her user agent happily accepts, and the MiTM decrypts Alice's message
and re-encrypts with Bob's correct key. Neither Bob nor Alice are aware
of the attack.

Even if the sender's signature was bound to the recipients' public keys,
couldn't a MiTM strip out the signatures? Either (1) I am wrong how
OpenPGP works, or (2) I am beginning to agree with more of the critiques
about how OpenPGP handles non-repudiation.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140924/4f4fa2cf/attachment.sig>

More information about the Messaging mailing list