[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP replay attack



-----BEGIN PGP SIGNED MESSAGE-----

There has been some discussion on using replay attacks against PGP
recently.  However, a timestamp is stored in the signature packet and is
signed along with the plaintext intended to be signed.  This eliminates the
need to include a timestamp in clear-signed data.  Someone can still send
a signed e-mail to a third party that was not the original recipient and
make it appear as though the sender did actually send the message to the
third party (e.g.

	Alice sends signed message to Bob
	Bob sends message with faked headers signed by Alice to Carol
	Carol believes Alice actually sent the message to her)

Such an attack would have to executed shortly after the message was originally
clear-signed.  However, including timestamps in text to be signed is not
necessary.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMPhourZc+sv5siulAQHTTAP/XBlrV7nHd5pR9aTXr2Uk0M0fw4I6IjZZ
xeCx++vuIjcQuo/k8xH9YvBbn+MuoE11xbVLD58xYbELuVSdMUzCQ1mpQMho8mzs
O0ALr8dahq0N0Gl5kLwb97MzgJOgTwy6NSIK6883NCktAWJMsFoADpdzmDGWQbTc
ZzXJ3w5OiAQ=
=fWJb
-----END PGP SIGNATURE-----


--
finger -l [email protected] for PGP key  http://www.voicenet.com/~markm/
Fingerprint: bd24d08e3cbb53472054fa56002258d5  Key-ID: 0xf9b22ba5
"The NSA can have my private key when they pry it from my cold, dead
neurons." Unknown