Re: Potential PGP signature verification problem?

[Peter Hanecak <hanecak () megaloman com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On 12 Mar 2003, Avri Schneider wrote:

> --[PinePGP]--------------------------------------------------[begin]--
> Hello,
>
> I have come across a possible problem in the way PGP handles
> signature verification.
> The problem lies in the fact that PGP will strip OLE objects inserted
> in an e-mail and verify the message signature based only on the text,
> not informing the user that objects were striped.
> A WordPad document can be inserted in the e-mail as an OLE object,
> having the same font style and size as the original message.
> An attacker would take a signed message and insert such word document
> anywhere in the message as an OLE object and when the recepient
> checks the signature - the wordpad document is stripped and the
> signature would be valid - The attack would only work if the
> recepient does not use the pgp verified message "text viewer" dialog
> box to read the message but uses it only to verify the validity of
> the signature.
>
> This was tested with pgp.com's PGP version 8.0, other versions may be
> vulnerable as well.
>
> I have experimented with older versions and they only worked in the
> hash field of the PGP header which is stripped before the message is
> verified and the same attack can be performed but text would only be
> added at the beginning of the message.
>
> Regards,
> Avri Schneider
> http://pgp.mit.edu 0x44F87D04
>
> --[PinePGP]-----------------------------------------------------------
> gpg: Signature made Mon 10 Mar 2003 10:14:16 PM CET using DSA key ID 44F87D04
> gpg: Good signature from "Avri Schneider <avri.schneider () ca com>"
> gpg:                 aka "Schneider, Avri </o=cai/ou=islandia/cn=Recipients/cn=schav01>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Fingerprint: 6919 8759 AAE1 3D99 B44D  4493 67A5 8491 44F8 7D04
> --[PinePGP]----------------------------------------------------[end]--

sounds to me like MUA problem, not PGP problem.

Because I'm author of PinePGP I'm quite "educated" about how Pine handles 
signatures and attachments with this tool - to make things easier and also 
because of Pine filtering limitations PinePGP check only text parts of 
MIME messages. Attachments are not signed, not encrypted, not decrypted 
nor verified by PinePGP.

To somehow protect attachments, you may include for example MD5 checksums 
into text part of message. Or you can sign and/or encrypt (and then veryfy 
and/or decrypt) by hand outside of MUA.

To make simple ilustration how Pine_PinePGP works: This is MIME message:

- ----------------------------------------------------------------------
From: ...
To: ....
Subject: ...
...
Content-Type: ...; boundary="-XXX-"

- ---XXX-
Content-Type: text/plain

This is text message - it can be signed and also encrypted. Pine+PinePGP 
ussualy handle that as you expect - encryp and/or sign if you ask to, 
decrypt and/or verify automaticaly.

Content (clear text or encrypted) plus signature are all parts of just 
this MIME part of this e-mail message.

- ---XXX-
Content-Type: application/octet-stream

This is some binary attachment. Pine+PinePGP do not touch this - i.e. no 
signing, no encryption, no automatic verification now decryption.

It may be encrypted and also signed (if done manualy and then attached to 
message) but PinePGP does not check it - it's not text/plain .

- ---XXX---
- ----------------------------------------------------------------------

Pine filters can handle only trext/plain messages thus PinePGP only offer 
crypto functions only to text parts of e-mail MIME messages.


And, IMO, that's the way other MUAs (and their PGP plugins for MUAs) may 
work. (Note: But for example 'mutt' does not work this way - signatures 
are not part of text part of MIME message but are in separate MIME part, 
thus it may work differently wit document attachments).

But it's hard to tell. What MUA do you use?

Sincerely

Peter Hanecak

- -- 
========================================================
  Peter Hanecak <hanecak () megaloman sk>
  GPG pub.key: http://www.megaloman.sk/gpg/hanecak.txt
========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+cDel1rzDsblwlA8RAjM3AJ9nF2xJHwKoe2u/Tkr09D1G8kF+IgCfUV00
JCu19Tk6AncGKajaE7Tm2yw=
=fk1Y
-----END PGP SIGNATURE-----