* Weaknesses in PGP signatures
@ 1995-12-30 23:47 Steven L. Baur
0 siblings, 0 replies; only message in thread
From: Steven L. Baur @ 1995-12-30 23:47 UTC (permalink / raw)
-----BEGIN PGP SIGNED MESSAGE-----
There's recently been a discussion of forging techniques that are hard
to repudiate when PGP signatures are used (alt.security.pgp,
sci.crypt, and the cypherpunks mailing list). A suggested possible
solution to make this harder is to include some of the mail headers
into the PGP signed portion of the message.
A Gnus implementation of this follows:
;;; Pgp signed messages are vulnerable to various kinds of badness due to
;;; the separation of header information. Fix it.
(defconst gnus-pgp-included-headers '("From"
"To"
"Newsgroups"
"Message-ID"
"Date"
"Subject"
"Cc"
"Gcc")
"Headers to include in signed portion of PGP signed message.")
(defconst gnus-pgp-signed-headers "----BEGIN PGP SIGNED HEADERS----\n"
"String to use for separation in message.")
(defun gnus-article-sign-message (arg)
"Sign a message with PGP, including outgoing headers in an included
block, as per the suggestion of \"Dr. Dimitri Vulis\" <dlv@bwalk.dm.com>."
(interactive "p")
(save-excursion
(save-restriction
(gnus-inews-narrow-to-headers)
(goto-char (point-max))
(or (mail-fetch-field "date")
(insert (concat "Date: " (gnus-inews-date) "\n")))
(or (mail-fetch-field "message-id")
(insert (concat "Message-ID: " (gnus-inews-message-id) "\n")))))
(save-excursion
(goto-char (point-max))
(insert "\n")
;; If there is already a header block (eg. after undoing a signature)
;; remove it entirely, and rebuild from scratch.
(if (re-search-backward gnus-pgp-signed-headers nil t)
(kill-region (point) (point-max)))
(insert gnus-pgp-signed-headers)
(let ((headers gnus-pgp-included-headers)
header header-value)
(while (setq header (car headers))
(setq headers (cdr headers))
(save-excursion
(save-restriction
(gnus-narrow-to-headers)
(setq header-value (mail-fetch-field header))))
(if header-value
(insert (concat header ": " header-value "\n"))))
(insert "\n")))
(mc-sign arg))
- --
steve@miranova.com baur
- ----BEGIN PGP SIGNED HEADERS----
To: ding@ifi.uio.no
Message-ID: <m2ka3em7v9.fsf@diana.miranova.com>
Date: 30 Dec 1995 15:47:54 -0800
Subject: Weaknesses in PGP signatures
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBMOXPr6LJZEUiepcNAQFX1wP/ZBgFvEYGLC+8Rq6C4at502ZmEQKDd+1v
OQsjHpQeqg9OfWKnvPbdou3torOQPMzsdn9grxjkblXFiN/dsYFsJXlYgA5Vzpf1
E2gw5Ng6wdYzvwwgF0Q8ZkbH3efPSYNvOPf8EexrCTmruK3TVFqAfNTwUnbgM2rS
zfumRMdD9r0=
=Fwj/
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~1995-12-30 23:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
1995-12-30 23:47 Weaknesses in PGP signatures Steven L. Baur
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).