[messaging] The Simple Thing

Ximin Luo infinity0 at pwned.gg
Thu Sep 25 03:24:54 PDT 2014 

On 25/09/14 00:45, elijah wrote:
>> Is one-sided MITM possible? If I am Bob and I am the 2% and I
>> validate Alice's key, and I know my *own* key, then according to my
>> own knowledge, both keys involved in the channel are valid and there
>> should be no MITM?
>>
>> Alice does not know this of course, because she doesn't care. But
>> this is different from your objection, where Bob's communication "is
>> compromised". I don't think that can happen. Bob knows the
>> communication is uncompromised, but Alice does not. As Bob, I am OK
>> (the typical Bob should be OK) about Alice not knowing the
>> communication is uncompromised, because I *do* know it.
> 
> In the case of OpenPGP, I thought that signatures on messages did not
> include binding to the public keys of the recipients. In other words,
> the sender signs the message text digest, appends to the message, and
> then encrypts the whole thing with a symmetric session key, and the
> session key is encrypted with the public key of the recipients.
> 
> If this is the case, then Alice could be fed a bogus key for Bob, which
> her user agent happily accepts, and the MiTM decrypts Alice's message
> and re-encrypts with Bob's correct key. Neither Bob nor Alice are aware
> of the attack.
> 
> Even if the sender's signature was bound to the recipients' public keys,
> couldn't a MiTM strip out the signatures? Either (1) I am wrong how
> OpenPGP works, or (2) I am beginning to agree with more of the critiques
> about how OpenPGP handles non-repudiation.
> 

Data blob signatures don't contain binding to the recipient no ("it's not OpenPGP's problem" ¬.¬), but you could embed a "To: Bob $KEYID" in the contents of your message if you want to protect against that. But still, the contents of the first message would be compromised. This is a known attack and I think someone should fix it, but nobody has taken the effort in to submit a proposal to PGP/MIME or whatever the standard is, and I've seen encrypted email application developers explicitly refuse to implement this until there is already a standard. :/

So yes, your attack works with imperfect protocols. I was being too idealistic. :p

If a MITM strips out the signatures (or a MAC, in a different protocol) then Bob detects this, because he would detect fake-Alice's signature.

But actually, your objection still holds for ideal protocols, it just wouldn't be a "MITM". I forgot the case where Alice isn't talking to Bob in the first place (Bob is completely out of the scenario). Then Alice might reveal things about Bob because she thinks she's talking to him, but didn't verify this.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140925/8111036c/attachment.sig>

More information about the Messaging mailing list