Bugtraq mailing list archives
Re: PGP Signed Messages
From: "prime evil" <res006lj () gte net>
Date: Mon, 15 Oct 2001 12:06:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----- Original Message ----- From: "[Segmen]" <dontpanic999 () yahoo com> To: <vuln-dev () securityfocus com>; <bugtraq () securityfocus com> Sent: Monday, October 15, 2001 8:27 AM Subject: PGP Signed Messages
It occurred to me today what a bad idea the Comment Field is in PGP signed messages. Altering the Comment filed does not affect the validity of the signature, but to the non experienced PGP/GPG user it certainly appears to be part of the message. Example : A generic message I could have got hold of : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, meeting cancelled, speak to you soon. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P 7gojqeCRqKqTkbFMkHCToxtq =lki3 -----END PGP SIGNATURE----- I could change this to : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, meeting cancelled, speak to you soon. -----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please Send the Confidential Files from the planned meeting to My colleague Instead at me () host com . He will now be dealing with this matter. Speak to you soon, victim. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBO8r9v9nrfc+JfUO6EQLrEACgv6+C07aWgAO+Dna0MHgEDaoDMxEAoJ2P 7gojqeCRqKqTkbFMkHCToxtq =lki3 -----END PGP SIGNATURE----- well, you get the idea. The signature is still valid. Agreed that only the beginner crypto user would fall for this, but if they were to read the message and then just use PGP to check the validity, they could be tricked into believing that the extra lines were part of the verified message. Does anybody else think this is quite a bad idea?
actually, if you are using the outlook plugin(as i am) your comment line doesn't even pop up. yes the signature was valid, but all of your extra lines didn't come up. also, when i copied and pasted it into notepad (your modified one) and verified the sig, it still didn't show the comment. (which is good) i agree that if you are just looking at the message itself, you can be fooled, but then you really aren't using PGP as you should be. never assume that because something is "signed" that it is valid.. always check the signed message with PGP. I apologize if i messed up in any way, this is my first response to bugtraq. i love this list, keep up the good work latz - - --Prime ATTN BUGTRAQ SCREENER PLEASE ignore my prior message, my paste didn't work, so it was an exact copy of the original, with my PGP signature. whoops. :-) -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: PrimeZ using PGP, Why ain't you? iQA/AwUBO8szo9bmp8FKAKDdEQJmkACeOy8L53nFGS4VcPVeSRnru6fugXoAn2xS ol8sh8POAJgQkG+dFJVV+Pyc =Qp2L -----END PGP SIGNATURE-----
Current thread:
- PGP Signed Messages [Segmen] (Oct 15)
- Re: PGP Signed Messages prime evil (Oct 15)
- Re: PGP Signed Messages Kurt Seifried (Oct 15)
- <Possible follow-ups>
- Re: PGP Signed Messages [Segmen] (Oct 15)