crypto flaw in secure mail standards

lcs Mixmaster Remailer mix at
Fri Jun 22 14:40:09 EDT 2001

Don Davis writes,

> All current secure-mail standards have a
> significant cryptographic flaw.  There are several standard
> ways to send and read secure e-mail.  The most well-known
> secure mail systems are PGP and S/MIME.  All current public-
> key-based secure-mail standards have this flaw.  Here are some
> examples of the flaw in action:
> Suppose Alice and Bob are business partners, and are setting
> up a deal together.  Suppose Alice decides to call off the
> deal, so she sends Bob a secure-mail message: "The deal is off."

The only thing protected in a signed message is that portion signed.
Alice needs to say, "Bob, the deal is off."

Actually this is not enough.  Suppose Alice sends this, or equivalently
suppose we use an encryption scheme similar to what David Hopwood
describes where the inner signed portion includes the outer key.

There can still be trouble.  Suppose at some later time Alice and Bob
negotiate a new contract, and Bob wants to get out of it.  He pulls out
this old message of Alice's and stamps a new date on it, claiming that
it was with regard to their new contract negotiation.  He says that
Alice withdrew from the contract so he is not liable for any penalties.

Again the problem is that only what is signed is protected.  If the date
is not signed, it is not protected.  So the protocol has to include the
date in the signature.  (Actually I think most email encryption protocols
do this, but the point is that the formal description of what is signed
may not show that.)  Only what is signed is protected.

Even the date may not be enough.  Suppose Alice and Bob are separately
negotiating two different contracts, using a threaded mail reader
which uses Reply-To: or some similar fields in the mail header so
that exchanges with regard to one contract are shown separately from
exchanges with regard to the other.  Then Alice might send, "Bob, the
deal is off," including a date in the signature, and expect it to apply
just to the deal being negotiated in that thread, because that's how her
mail software shows it.  However Bob can take the message and claim that
it applied to the other thread.

In this case, other context that was in the minds of Alice and Bob is
not being covered by the signature.  This is really the general form of
the issue being discussed.  What is in the minds of the participants,
what assumptions are they making that are not being written down?

This is why we have lawyers and contracts and fine print.  These
institutions and practices are the result of centuries of people weaseling
out of contracts in various ways.

It is mistaken to think that we can solve this problem by a little
cryptographic legerdemain involving copying a field from the outer
encryption envelope into the inner signature.  That does not begin to
cover all of the things that can go wrong.

The only real solution is to use the advice and experience of the
legal system when negotiating a contract which will bind the parties.
Make sure everything is written down and sign a document which is as
clear, specific and free of ambiguity as possible.

It's not a cryptographic issue, and failures of this kind are not
cryptographic failures.  Cryptography can't read the minds of the
parties involved and know that all of their assumptions are included in
the signed portion.  The real solution is for the communicants to take
the responsibility to put everything there that is needed.  Only what
is signed is protected.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list