broken: #secure method=pgp mode=signencrypt

broken: #secure method=pgp mode=signencrypt

[Matthias Andree]

Hi,

apparently, these modes are broken:

#secure method=pgp mode=signencrypt
#secure method=pgp mode=encrypt

this works for me:

#secure method=pgpmime mode=signencrypt


A method=pgp mode=encrypt emits base64 junk after decrypting.

A method=pgp mode=signencrypt emits this fine dung after decrypting
(screenshot from mutt, Gnus doesn't do any better).

Does Gnus run gnupg twice or something? Once to clearsign, then to
encrypt?

^M
=2D----BEGIN PGP SIGNED MESSAGE-----^M
^M
=E4=F6=FC=DF=C4=D6=DC=A7^M
^M
=2D --=20^M
Matthias Andree^M
=2D----BEGIN PGP SIGNATURE-----^M
Version: GnuPG v1.2.2 (GNU/Linux)^M
^M
iQCVAwUBPws7fSdEoB0mv1ypAQE4bwP8DVOReiE65r4pQauyt8ipYEeQrrnP1tZN^M
ua63HxthCOudN31hZxu8VaF8++kY6Rk26WK0WvDXmSLVi4eEVBHBM6Gk1pKkmf7i^M
nQTY3kjUzui7/aXEXld+hGY8TI6Hwk3OUHj8kngMkURzYtLaNMfse/hvY67kbQ5W^M
m5qHOYTh+30=3D^M
=3DEj5W^M
=2D----END PGP SIGNATURE-----^M

-- 
Matthias Andree

Re: broken: #secure method=pgp mode=signencrypt

[Simon Josefsson]

Matthias Andree <ma@dt.e-technik.uni-dortmund.de> writes:

> Hi,
>
> apparently, these modes are broken:
>
> #secure method=pgp mode=signencrypt
> #secure method=pgp mode=encrypt
>
> this works for me:
>
> #secure method=pgpmime mode=signencrypt
>
>
> A method=pgp mode=encrypt emits base64 junk after decrypting.
>
> A method=pgp mode=signencrypt emits this fine dung after decrypting
> (screenshot from mutt, Gnus doesn't do any better).
>
> Does Gnus run gnupg twice or something? Once to clearsign, then to
> encrypt?

Yup.  See the Message manual on Security.  You want:

     (setq mml-signencrypt-style-alist '(("smime" combined)
                                         ("pgp" combined)
                                         ("pgpmime" combined)))

I think Gnus should default to this, or even better, figure out when
it doesn't work and revert back to the combined mode.

Re: broken: #secure method=pgp mode=signencrypt

[Matthias Andree]

On Wed, 09 Jul 2003, Simon Josefsson wrote:

> > Does Gnus run gnupg twice or something? Once to clearsign, then to
> > encrypt?
> 
> Yup.  See the Message manual on Security.  You want:
> 
>      (setq mml-signencrypt-style-alist '(("smime" combined)
>                                          ("pgp" combined)
>                                          ("pgpmime" combined)))
> 
> I think Gnus should default to this, or even better, figure out when
> it doesn't work and revert back to the combined mode.

This convolution is an astonishment, and as such, violates the POLA. :->

What I particularly take offense at is this allegation:

   Will cause Gnus to sign and encrypt in one pass, thus generating a
   single signed and encrypted part.  Note that combined sign and encrypt
   does not work with all supported OpenPGP implementations (in
   particular, PGP version 2 do not support this).

I have just verified this with mutt and pgp-2.6.3i, and pgp on the
command line, it just works. It has always worked as long as I can
remember. (Plus, PGP-2 certainly doesn't claim OpenPGP conformance, it's
too old to.)

The other issue (might be a feature request or yet another question for
help with the configuration) is that Gnus doesn't show me the boundaries
of the encrypted part of such a mail unless I press W s, and if I do, it
still doesn't tell me the part was signed, I only get to know it was
encrypted. Strange?

-- 
Matthias Andree

Re: broken: #secure method=pgp mode=signencrypt

[Florian Weimer]

Matthias Andree <matthias.andree@gmx.de> writes:

> What I particularly take offense at is this allegation:
>
>    Will cause Gnus to sign and encrypt in one pass, thus generating a
>    single signed and encrypted part.  Note that combined sign and encrypt
>    does not work with all supported OpenPGP implementations (in
>    particular, PGP version 2 do not support this).
>
> I have just verified this with mutt and pgp-2.6.3i, and pgp on the
> command line, it just works. It has always worked as long as I can
> remember. (Plus, PGP-2 certainly doesn't claim OpenPGP conformance, it's
> too old to.)

The problem is that GnuPG cannot encrypt + sign in one pass in a way
that yields a message that can be processed by PGP 2.6.x (even after
patching the necessary algorithms into PGP or GnuPG).  This problem
does not arise if you sign and encrypt separately.

Re: broken: #secure method=pgp mode=signencrypt

[Matthias Andree]

Florian Weimer <fw@deneb.enyo.de> writes:

> The problem is that GnuPG cannot encrypt + sign in one pass in a way
> that yields a message that can be processed by PGP 2.6.x (even after
> patching the necessary algorithms into PGP or GnuPG).  This problem
> does not arise if you sign and encrypt separately.

Creating messages that even Gnus itself cannot read back properly is
certainly not a solution to this lack, and the "garbage in encrypt
without sign" issue has been lost in the course of this thread.

-- 
Matthias Andree

Re: broken: #secure method=pgp mode=signencrypt

[Simon Josefsson]

Matthias Andree <ma@dt.e-technik.uni-dortmund.de> writes:

> Florian Weimer <fw@deneb.enyo.de> writes:
>
>> The problem is that GnuPG cannot encrypt + sign in one pass in a way
>> that yields a message that can be processed by PGP 2.6.x (even after
>> patching the necessary algorithms into PGP or GnuPG).  This problem
>> does not arise if you sign and encrypt separately.
>
> Creating messages that even Gnus itself cannot read back properly is
> certainly not a solution to this lack, and the "garbage in encrypt
> without sign" issue has been lost in the course of this thread.

The problem, FWIW, is that mm-uu decoded data is not recursively feed
to mm-uu again.  So the PGP encrypted data that mm-uu decrypts is
displayed instead of being checked for a correct signature, which
mm-uu can do too.

(Although the PGP blob regexp in mm-uu probably should be changed from
^-----BEGIN to ^\(=2D\|-\)----BEGIN to cater for the header escaping
that Gnus perform for other purposes.)

Re: broken: #secure method=pgp mode=signencrypt

[Simon Josefsson]

Matthias Andree <matthias.andree@gmx.de> writes:

> The other issue (might be a feature request or yet another question for
> help with the configuration) is that Gnus doesn't show me the boundaries
> of the encrypted part of such a mail unless I press W s, and if I do, it
> still doesn't tell me the part was signed, I only get to know it was
> encrypted. Strange?

Probably not; Gnus doesn't know that a PGP message blob is signed or
not, it just assume it is (only) encrypted.  Parsing the output from
GnuPG and looking for GOODSIG and similar text could work (although
one should be careful not to use data from the message itself), but
perhaps the proper solution is to write a simple OpenPGP message
decoder, like Gnus do to distinguish between signed, encrypted or
enveloped PKCS#7 aka CMS aka S/MIME messages.

Re: broken: #secure method=pgp mode=signencrypt

[Matthias Andree]

Simon Josefsson <jas@extundo.com> writes:

> Probably not; Gnus doesn't know that a PGP message blob is signed or
> not, it just assume it is (only) encrypted.  Parsing the output from
> GnuPG and looking for GOODSIG and similar text could work (although
> one should be careful not to use data from the message itself), but
> perhaps the proper solution is to write a simple OpenPGP message
> decoder, like Gnus do to distinguish between signed, encrypted or
> enveloped PKCS#7 aka CMS aka S/MIME messages.

I wonder if Gnus is the only software that needs to go these lenghts, or
if gpgme could somehow be married to Gnus.

-- 
Matthias Andree

Re: broken: #secure method=pgp mode=signencrypt

[Jan Rychter]

[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]

Simon Josefsson:
> Matthias Andree <ma@dt.e-technik.uni-dortmund.de> writes:
> > Hi,
> >
> > apparently, these modes are broken:
> >
> > #secure method=pgp mode=signencrypt
> > #secure method=pgp mode=encrypt
> >
> > this works for me:
> >
> > #secure method=pgpmime mode=signencrypt
> >
> >
> > A method=pgp mode=encrypt emits base64 junk after decrypting.
> >
> > A method=pgp mode=signencrypt emits this fine dung after decrypting
> > (screenshot from mutt, Gnus doesn't do any better).
> >
> > Does Gnus run gnupg twice or something? Once to clearsign, then to
> > encrypt?
> 
> Yup.  See the Message manual on Security.  You want:
> 
>      (setq mml-signencrypt-style-alist '(("smime" combined)
>                                          ("pgp" combined)
>                                          ("pgpmime" combined)))
> 
> I think Gnus should default to this, or even better, figure out when
> it doesn't work and revert back to the combined mode.

I got bitten by the same thing. IMHO it should default to this.

--J.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: broken: #secure method=pgp mode=signencrypt

[Simon Josefsson]

Jan Rychter <jan@rychter.com> writes:

>> Yup.  See the Message manual on Security.  You want:
>> 
>>      (setq mml-signencrypt-style-alist '(("smime" combined)
>>                                          ("pgp" combined)
>>                                          ("pgpmime" combined)))
>> 
>> I think Gnus should default to this, or even better, figure out when
>> it doesn't work and revert back to the combined mode.
>
> I got bitten by the same thing. IMHO it should default to this.

Florian explained that the compatibility problem wasn't at the sender,
but rather at the receiver, so I changed my opinion and now think that
we shouldn't use combined mode by default since it isn't
interoperable.  We should make the "separate" mode work correctly
though.  This is somewhat unfortunate though.  An alternative would be
to state that we cannot talk to PGP 2.x properly.

Hm.  OTOH, since we are encrypting the message, we know who the
receivers are.  Can't we look at the receivers OpenPGP keys to see if
any of them suggest that a broken applications is used?  Florian?

how to signencrypt with gpg for pgp2 (was: broken: #secure method=pgp mode=signencrypt)

[Matthias Andree]

Simon Josefsson <jas@extundo.com> writes:

> Florian explained that the compatibility problem wasn't at the sender,
> but rather at the receiver, so I changed my opinion and now think that
> we shouldn't use combined mode by default since it isn't
> interoperable.

Maybe I can make you change your mind yet again.

> We should make the "separate" mode work correctly though.  This is
> somewhat unfortunate though.  An alternative would be to state that we
> cannot talk to PGP 2.x properly.

"Replacing PGP 2.x with GnuPG" by Kyle Hasselbacher et al,
<URL:http://www.gnupg.org/gph/en/pgp2x.html>, comes to our rescue:
it documents a workaround (with minor errors in the first of the four
stages). It's not trivial, but works.

I've cast this workaround into a sh script, and I've successfully
"signencrypt"ed a mail with GnuPG 1.2.2 that I can decode with pgp
2.6.3in without difficulties. Script and screenshots below.

Here's the unpolished script, you may test it but please don't include
it with Gnus or distribute otherwise. If we want to use such a wrapper
script in Gnus (rather than have someone - not me, I don't speak Elisp -
reimplement it in pgg.el), I can polish and document it, add getopt
parsing for the keys and put it under the GPL.

When testing, adjust the localkey (signing key) and remotekey
(recipient's key), and send yourself an email. :-)

--cut-here------------------------------------------------------------------
#! /bin/sh
# (C) Copyright 2003, Matthias Andree. All rights reserved.
localkey=0x26bf5ca9
remotekey=0x26bf5ca9
input=${1:=test}
tmppfx=gs2p2.$$.
armor=--armor

trap "rm -f \"${tmppfx}\"* ; exit 1" 0 1 2 3 15
set -e
gpg --detach-sign --local-user "$localkey" --output "${tmppfx}sig" "$input"
gpg --store -z 0 --output "${tmppfx}lit" "$input"
cat "${tmppfx}sig" "${tmppfx}lit" \
| gpg --no-options --no-literal --store --compress-algo 1 --output "${tmppfx}z"
gpg --rfc1991 --cipher-algo idea --no-literal --encrypt \
    --recipient "$remotekey" --output `basename "$input"`.asc "${tmppfx}z"
rm -f "${tmppfx}"*
trap 0 1 2 3 15
exit 0
--cut-here------------------------------------------------------------------

Here are the screenshots:

signencrypt stage, GnuPG 1.2.2 + above script at work:

|$ gpg-signencrypt-to-pgp2.sh test
|
|You need a passphrase to unlock the secret key for
|user: "Matthias Andree <matthias.andree@gmx.de>"
|1024-bit RSA key, ID 26BF5CA9, created 1996-01-18
|
|gpg: NOTE: --no-literal is not for normal use!
|gpg: NOTE: --no-literal is not for normal use!
|gpg: 0x26bf5ca9: skipped: public key already present
|File `test.asc' exists. Overwrite (y/N)? y
|gpg: forcing symmetric cipher IDEA (1) violates recipient preferences
|gpg: this cipher algorithm is deprecated; please use a more standard one!

decrypt/verify stage, PGP 2.6.3in:

|$ pgp test.asc
|Pretty Good Privacy(tm) 2.6.3in - Public-key encryption for the masses.
|(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 2000-10-07
|International version - not for use in the USA. Does not use RSAREF.
|Current time: 2003/07/10 13:01 GMT
|
|File is encrypted.  Secret key is required to read it. 
|Key for user ID: Matthias Andree <matthias.andree@gmx.de>
|1024-bit key, key ID 26BF5CA9, created 1996/01/18
[...]
|
|You need a pass phrase to unlock your RSA secret key. 
|Enter pass phrase: Pass phrase is good.  Just a moment......
|File has signature.  Public key is required to check signature.
|.
|Good signature from user "Matthias Andree <matthias.andree@gmx.de>".
|Signature made 2003/07/10 13:01 GMT using 1024-bit key, key ID 26BF5CA9
|
|Plaintext filename: test
|Output file 'test' already exists.  Overwrite (y/N)? y

Bonus:

|$ cat test
|testäöüß

-- 
Matthias Andree

Re: how to signencrypt with gpg for pgp2 (was: broken: #secure method=pgp mode=signencrypt)

[Florian Weimer]

On Thu, Jul 10, 2003 at 03:14:59PM +0200, Matthias Andree wrote:

> "Replacing PGP 2.x with GnuPG" by Kyle Hasselbacher et al,
> <URL:http://www.gnupg.org/gph/en/pgp2x.html>, comes to our rescue:
> it documents a workaround (with minor errors in the first of the four
> stages). It's not trivial, but works.

<http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp/>

gpg.el can be trivially reconfigured to use this script, and it once
worked.

Re: how to signencrypt with gpg for pgp2

[Simon Josefsson]

Matthias Andree <ma@dt.e-technik.uni-dortmund.de> writes:

>> We should make the "separate" mode work correctly though.  This is
>> somewhat unfortunate though.  An alternative would be to state that we
>> cannot talk to PGP 2.x properly.
>
> "Replacing PGP 2.x with GnuPG" by Kyle Hasselbacher et al,
> <URL:http://www.gnupg.org/gph/en/pgp2x.html>, comes to our rescue:
> it documents a workaround (with minor errors in the first of the four
> stages). It's not trivial, but works.

OK, this convinced me.  Apparently pure GnuPG users can't talk to PGP
2.x anyway, so this only affect people that have imported their old
PGP 2.x into GnuPG but still want to talk to PGP 2.x users.  It
doesn't look like a broad audience, and they are probably competent
enough to either configure PGG to use PGP 2.x (which is supported), or
customize pgg-gpg-program to "gpg-2comp", or customize
mml-signencrypt-style-alist (although the output doesn't look right in
Gnus due to the recursive UU decoding problem, but that may be fixed
in the future), or add support for the two-pass mode in pgg-gpg.el, or
talk their PGP 2.x users into using GnuPG.

I have written down some things learned from this thread in the
Message manual, in the Security node.  The relevant section included
below, comments appreciated.  Thanks to everyone who provided
information.

(Of course, if someone disagree with this, I can be convinced
otherwise again. :-))

Using PGP/MIME
--------------

   PGP/MIME requires an external OpenPGP implementation, such as GNU
Privacy Guard (http://www.gnupg.org/).  Pre-OpenPGP implementations
such as PGP 2.x and PGP 5.x are also supported.  One Emacs interface to
the PGP implementations, PGG (see *note PGG: (pgg)Top.), is included, but
Mailcrypt and Florian Weimer's `gpg.el' are also supported.

   Note, if you are using the `gpg.el' you must make sure that the
directory specified by `gpg-temp-directory' have permissions 0700.

   Creating your own key is described in detail in the documentation of
your PGP implementation, so we refer to it.

   If you have imported your old PGP 2.x key into GnuPG, and want to
send signed and encrypted messages to your fellow PGP 2.x users, you'll
discover that the receiver cannot understand what you send. One
solution is to use PGP 2.x instead (i.e., if you use `pgg', set
`pgg-default-scheme' to `pgp').  If you do want to use GnuPG, you can
use a compatibility script called `gpg-2comp' available from
<http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp/>.  You could
also convince your fellow PGP 2.x users to convert to GnuPG.  As a
final workaround, you can make the sign and encryption work in two
steps; separately sign, then encrypt a message.  If you would like to
change this behavior you can customize the
`mml-signencrypt-style-alist' variable.  For example:

     (setq mml-signencrypt-style-alist '(("smime" separate)
                                         ("pgp" separate)
                                         ("pgpauto" separate)
                                         ("pgpmime" separate)))

   This causes to sign and encrypt in two passes, thus generating a
message that can be understood by PGP version 2.

   (Refer to <http://www.gnupg.org/gph/en/pgp2x.html> for more
information about the problem.)

Re: how to signencrypt with gpg for pgp2

[Matthias Andree]

Florian Weimer <fw@deneb.enyo.de> writes:

>> "Replacing PGP 2.x with GnuPG" by Kyle Hasselbacher et al,
>> <URL:http://www.gnupg.org/gph/en/pgp2x.html>, comes to our rescue:
>> it documents a workaround (with minor errors in the first of the four
>> stages). It's not trivial, but works.
>
> <http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp/>
>
> gpg.el can be trivially reconfigured to use this script, and it once
> worked.

It does the same thing. A /bin/sh is ubitquitous though, Perl is not.

I wonder why this hasn't been implemented in GnuPG
itself. Is --pgp2signencrypt hard to implement if so many people want
it?



Oh, and the script doesn't like to be used for this purpose:

  (C)opyright 1999 by Gero Treuner <gero@faveve.uni-stuttgart.de>
  $Id: gpg-2comp,v 1.3 1999/10/28 15:19:23 gero Exp gero $

  Important note: This script is not designed to be called from other
                  places as the Mutt mail user agent, especially not
                  instead of gpg from a shell.

-- 
Matthias Andree