Home page logo

bugtraq logo Bugtraq mailing list archives

Re: crypto flaw in secure mail standards
From: Robert Bihlmeyer <robbe () orcus priv at>
Date: 29 Jun 2001 14:30:06 +0200

Richard Atterer <atterer () informatik tu-muenchen de> writes:

PGP and MUAs with PGP support should either make it very clear that
the subject is not encrypted, or (ideally) a facility for encrypted
message headers should be added to OpenPGP.

OpenPGP does not concern itself with these things. The relevant
standards integrating it with MIME (rfc2015 et al) however do, and
since the signed/encrypted part is just another MIME part, you can put
arbitrary headers there. Nowadays these part usually only has a
Content-Type header, but this is not AFAIK in any way required.

However MUAs must support that first, i.e. allow you to define
private headers in addition to the public ones, and be able to replace
message headers with those coming from inside a crypto envelope.

Example (The part prefixed with "& " is in reality encrypted):

    From: nobody () anonymous remailer example org
    To: John Doe <doe () example net>
    Subject: <undisclosed>
    [...more standard e-mail headers...]
    Content-Type: multipart/encrypted;
       protocol="application/pgp-encrypted"; boundary=foo

    Content-Type: application/pgp-encrypted

    Version: 1

    Content-Type: application/octet-stream

    -----BEGIN PGP MESSAGE-----
    & From: Fred Smith <whistleblower () example com>
    & Subject: the sylvester memo
    & Content-Type: multipart/mixed; boundary=bar
    & --bar
    & Content-Type: text/plain; charset=us-ascii
    & Attached is a scan of the internal memo that proves the facts I
    & talked to you about.
    & --bar
    & Content-Type: image/jpeg
    & Content-Transfer-Encoding: base64
    & [...]
    & --bar--
    -----END PGP MESSAGE-----


Attachment: signature.ng

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]