crypto flaw in secure mail standards

Jon Callas jon at
Fri Jun 22 15:58:10 EDT 2001

This is a really good issue you've brought up, brilliant and creative.
However, like Derek said, this isn't a crypto problem. I'm going to go
further and say that it isn't even an engineering problem.

You demonstrate some interesting problems with secure messaging, but *none*
of them have anything to do with cryptography. They all have to do with
semantics, expectation, and human behavior.

Both of the scenarios you give are perfectly plausible. They could happen.
However, they don't *have* to happen that way and presume certain
conditions that are at best specialized.

Let's take the first one. This one presupposes that Alice's signed message
says, "The Deal is off." Note that if Alice had said a number of other
things, there would be no problem.

Suppose Alice's message to Bob is: "Dear, Bob, I'm sorry to send you some
bad news, but my company has had a reorganization, and we cannot pursue our
deal with XYZcorp at this time. I enjoy working with you, and hope that we
will be able to re-activate this deal at a future date."

Now there's no attack. If Bob sends *this* message to Charlie, then
Charlie's going to scratch his head and call Alice by phone. Then they'll
check the email headers, and see that it came from a hijacked IIS server in

The real problem here is that there are some terse messages that it's a
very bad idea to sign. For example, "The deal's off." Also, "Your mother
wears army boots," "So's your old man," and "Take a long walk off a short

Cryptography cannot solve the problem of appropriate use of the technology.
Let me give a related "attack." Suppose before she cancels the deal Alice
sends Bob a message that says, "I'm really glad I'm working with you and
not Charlie. He's a real twit, and I have to grit my teeth every time I
deal with him." After canceling the deal, Bob then sends *that* message
with Alice's signature to Charlie. Cryptography can't solve *that* problem,
either. My dear, late friend, Marin Minow had a maxim, and that maxim is,
"Don't send anything by email that you don't want to see attached to your
resume." That can be extended to really, really, not sending a signed
document that you don't want to see attached to your resume.

I will also point our here, that the attack you give needs no encryption.
This is why I say it isn't even an engineering problem. It works equally
well with a clearsigned message. Adding in encryption weakens your case.
It's a more powerful attack on signing alone because anyone who finds that
message can retarget it.

My response, simply put, is don't sign a vague message like this:

Hash: SHA1

The deal's off

Version: PGP 6.5.2


because you'll be subject to retargeting. There is nothing a cryptographer
or engineer can do to protect such an easily misunderstood message.

The next problem you give is more interesting. It's again, misuse rather a
crypto problem, but it strikes at the heart of two unsolved issues with
digital signatures:

	(1) What does a signature mean?
	(2) Can a signature be misused?

The answers to those questions are in my opinion, "Whatever you want them
to" and "Yes." Again, your demonstrations are brilliant examples of how you
can misuse a signature into some sort of semantic attack.

The first question is a swamp, so I'll only dance around it. I know people
who regularly sign all their email. I know people who refuse to sign email
(or rarely do). Each of them has a good explanation for why they do what
they do. For full disclosure, I rarely sign messages. Since I rarely sign
messages, it's relatively easy for someone to forge one coming from me. On
the other hand, since I don't sign messages out of habit, I'm not going to
accidentally create a retargetable message. But what this shows is that if
you find a signed document in the wrong hands, the assumption that the
signer sent it is flat silly.

The second question strikes at the very heart of one of the biggest
fantasies there is with digital signatures: non-repudiation. I don't
believe that non-repudiation exists. This second example is not an attack
on cryptography, but a brilliant attack on the notion of non-repudiation.
Stan Kelley-Bootle has a marvelous definition in "The Devil's DP
Dictionary" for "GIGO" that is, "Garbage In, Gospel Out." Sheer brain-dead
fantasies having been run through a computer become holy and divinely
inspired. Similarly, people think that a digital signature makes real-world
considerations go away, and alas, the people who believe this most are
lawyers (who should know better).

Let's analyze that second problem. Someone goes to Alice and says, "Hey,
Charlie has a catalog signed by you." Alice says, "Who's Charlie? I've
never heard of Charlie. I've never sent sensitive company material outside
the company." We all know that it's true. Alice didn't. Bob did. But we
also know that it's plausible for the corporate investigator to think Alice
did because of this Garbage In, Gospel Out fantasy as applied to signatures.

When I go on my "there's no such thing as non-repudiation" rant, I usually
focus on the difficulty of securing a private key. I really like this
scenario, because it shows another attack on non-repudiation -- taking
things out of context. Thank you! This is the true attack, that it's a
semantic attack on what the message *means*, not how it's constructed. A
signed message (because again, it works just as well if it's signed without
being encrypted) out of context means nothing. Signatures do not grant
meaning, and in fact can easily misdirect or obscure it.

The real problem is not one of cryptography, it's one of belief. It is
believing that a message containing a signed object came from the person
who signed it. It is believing that cryptography protects meaning, not
merely bits. It is believing that real-world problems with the interactions
of people can be solved with a bit of fancy math. These are all ludicrous,
and thank you for coming up with another attack on them.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list