From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/4575 Path: main.gmane.org!not-for-mail From: steve@miranova.com (Steven L. Baur) Newsgroups: gmane.emacs.gnus.general Subject: Weaknesses in PGP signatures Date: 30 Dec 1995 15:47:54 -0800 Organization: Miranova Systems, Inc. Message-ID: NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 (generated by tm-edit 7.38) Content-Type: text/plain; charset=US-ASCII X-Trace: main.gmane.org 1035145304 30134 80.91.224.250 (20 Oct 2002 20:21:44 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Sun, 20 Oct 2002 20:21:44 +0000 (UTC) Return-Path: ding-request@ifi.uio.no Original-Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by miranova.com (8.6.11/8.6.9) with ESMTP id QAA28149 for ; Sat, 30 Dec 1995 16:22:54 -0800 Original-Received: from miranova.com (steve@miranova.com [204.212.162.100]) by ifi.uio.no with ESMTP (8.6.11/ifi2.4) id for ; Sun, 31 Dec 1995 00:50:58 +0100 Original-Received: (from steve@localhost) by miranova.com (8.6.11/8.6.9) id PAA28001; Sat, 30 Dec 1995 15:48:49 -0800 Original-To: ding@ifi.uio.no X-Url: http://www.miranova.com/%7Esteve/ In-Reply-To: dlv@bwalk.dm.com's message of 30 Dec 1995 07:30:09 -0800 Original-Lines: 80 X-Mailer: September Gnus v0.26/XEmacs 19.13 Xref: main.gmane.org gmane.emacs.gnus.general:4575 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:4575 -----BEGIN PGP SIGNED MESSAGE----- There's recently been a discussion of forging techniques that are hard to repudiate when PGP signatures are used (alt.security.pgp, sci.crypt, and the cypherpunks mailing list). A suggested possible solution to make this harder is to include some of the mail headers into the PGP signed portion of the message. A Gnus implementation of this follows: ;;; Pgp signed messages are vulnerable to various kinds of badness due to ;;; the separation of header information. Fix it. (defconst gnus-pgp-included-headers '("From" "To" "Newsgroups" "Message-ID" "Date" "Subject" "Cc" "Gcc") "Headers to include in signed portion of PGP signed message.") (defconst gnus-pgp-signed-headers "----BEGIN PGP SIGNED HEADERS----\n" "String to use for separation in message.") (defun gnus-article-sign-message (arg) "Sign a message with PGP, including outgoing headers in an included block, as per the suggestion of \"Dr. Dimitri Vulis\" ." (interactive "p") (save-excursion (save-restriction (gnus-inews-narrow-to-headers) (goto-char (point-max)) (or (mail-fetch-field "date") (insert (concat "Date: " (gnus-inews-date) "\n"))) (or (mail-fetch-field "message-id") (insert (concat "Message-ID: " (gnus-inews-message-id) "\n"))))) (save-excursion (goto-char (point-max)) (insert "\n") ;; If there is already a header block (eg. after undoing a signature) ;; remove it entirely, and rebuild from scratch. (if (re-search-backward gnus-pgp-signed-headers nil t) (kill-region (point) (point-max))) (insert gnus-pgp-signed-headers) (let ((headers gnus-pgp-included-headers) header header-value) (while (setq header (car headers)) (setq headers (cdr headers)) (save-excursion (save-restriction (gnus-narrow-to-headers) (setq header-value (mail-fetch-field header)))) (if header-value (insert (concat header ": " header-value "\n")))) (insert "\n"))) (mc-sign arg)) - -- steve@miranova.com baur - ----BEGIN PGP SIGNED HEADERS---- To: ding@ifi.uio.no Message-ID: Date: 30 Dec 1995 15:47:54 -0800 Subject: Weaknesses in PGP signatures -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMOXPr6LJZEUiepcNAQFX1wP/ZBgFvEYGLC+8Rq6C4at502ZmEQKDd+1v OQsjHpQeqg9OfWKnvPbdou3torOQPMzsdn9grxjkblXFiN/dsYFsJXlYgA5Vzpf1 E2gw5Ng6wdYzvwwgF0Q8ZkbH3efPSYNvOPf8EexrCTmruK3TVFqAfNTwUnbgM2rS zfumRMdD9r0= =Fwj/ -----END PGP SIGNATURE-----