[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kong Re: Using a password as a private key.




		(James - bug report below.)
At 07:21 PM 10/29/98 +0100, Anonymous wrote:
>What happens if you create another key which signs an existing message,
>as was illustrated here recently in the case of Toto's key.  Can you
>convince Kong that you are the same person who sent the earlier message?

No, you can't.  I've got some sample Kong documents below.
(Be sure to get the US version of Kong from http://catalog.com/jamesd/kong/
rather than the somewhat older version from replay (which you get
if you tell James's page you're not a US/Canadian citizen.
Some UnAmerican should hack their way through James's protection
and update replay's version.))

If you check the signature on a document identical to one
you've already got stored, it'll tell you about it, and list
all the usernames that have signed that document.

When you try to store a second key with the same name as an existing key,
it'll tell you that they're different, and let you add a note to the new one.
(Unfortunately, it doesn't also let you add a note to the first one;
a nice feature change would be to always ask for notation when
receiving a new key.)  

(It's a bit hard to test on one machine, since you tend to step
over yourself in the process, but it should work fine in a clean environment,
and Kong is very tolerant of having its Kong.mdb file blown away
and doesn't even mind some editing using MS Access, though YMMV.)


Signed by one key calling itself t3 - note the +Q in the first line
    --
It's a fnord!  Run for your life!
    --digsig
         t3
     +Q+XF9EiiOOGFa6rYr5QtU2My14/KyO01DHLikYDVv
     Fy1GfdEmmV07XfX9R3HEOc/BA+ajNa8/MRqDBhE1
     4eLHEngilBC2g81hloGGQFmOYd35vQEHKGtBcb4F9

Signed by a different key calling itself t3 - note the H9 in the first line
    --
It's a different fnord!
    --digsig
         t3
     H9/V3rBrv7Ha3g0Z1/ywvbHimgezshgcTzSYJxbS4z
     nCRf3S7brCpkLPzUD+dSFcErPNB+SdrF0q46TZnH
     4YHfVOu6q+51iKrRc3ru63qk1wWCR2uR3wCALQRjs

Same document as before, signed by the H9 t3
    --
It's a fnord!  Run for your life!
    --digsig
         t3
     H9/V3rBrv7Ha3g0Z1/ywvbHimgezshgcTzSYJxbS4z
     z662iY5op2nMkXrI7nP4A5ehgvaoB5+q5daHbHgl
     4NmZf3tZdVcZObpUmovyAeDBMZr1W9t5lDICMJc8b


Kong lets you sign a document in different modes -
in one mode, the document can't be modified after signing,
and in other modes you can change whitespace or linebreaks,
making it more tolerant of different email environments.

    --
This message didn't have any line breaks, 
and it's in Text mode.
    --digsig
         t3
     H9/V3rBrv7Ha3g0Z1/ywvbHimgezshgcTzSYJxbS4z
     aAGTQyJ92R6XeoH7ZTepQ0f79xKddgm+bsIfLckn
     4+WLznhaXWAf7fX0yay4Ajq6Bg+AGQo0T8r8aWbJ2

    --
This message didn't have any line breaks,  
and it's in Strict mode, 
so this should fail.
    --digsig
         t3
     H9/V3rBrv7Ha3g0Z1/ywvbHimgezshgcTzSYJxbS4z
     /6YbckVZQdSNbu4DSbrIjXRmu2wU8IiiXP3LnyUn
     2I/gQ5Uq5+42xQYfLxCbDM+YwowNgkBFXlfPvfIYK

By the way, you don't want to hit the "view" button
after checking this one - you'll get 
Run-Time Error 3021 - No current Record
and then Kong dies.


				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639