https://bugs.kde.org/show_bug.cgi?id=399050
Bug ID: 399050
Summary: Signature spoofing in PGP encrypted email (ID layer)
Product: trojita
Version: unspecified
Platform: unspecified
OS: Linux
Status: REPORTED
Severity: minor
Priority: NOR
Component: Cryptography
Assignee: trojita-b...@kde.org
Reporter: jens.a.mueller+...@rub.de
Target Milestone: ---
Created attachment 115220
--> https://bugs.kde.org/attachment.cgi?id=115220&action=edit
Testcase 'display name'
Dear Trojitá Devs,
In the scope of academic research we discovered a (minor) PGP signature
validation issue in Trojitá based on how Trojitá matches a signed message to a
sender's identity.
*** Prerequirements ***
This attack requires three parties: Alice, Bob and Eve. Bob trusts Alice and
Eve. He has both public keys imported to be able to verify their PGP signed
messages. The attacker -- Eve -- is successful if she can send an email signed
by herself while Bob's mail client shows the email as signed by Alice on the
first level of the UI -- i.e. by just viewing the email without further
investigating the signature details or performing a forensic analysis.
*** Attack Description ***
When dealing with digital signatures, the question of *signed by whom* is an
important one. If Bob's mail client simply displayed `valid signature' once a
PGP signed message is received, Eve could sign her message and send it to Bob
with Alice set as the sender. This is due to a lack of binding between the user
ID derived from the PGP signature and the address given in the *From:* header.
There are two options to handle this problem: First, a mail client can
explicitly display the signer's identity somewhere in the UI and let the user
compare it to the sender address. Secondly, a warning can be shown if the
signer's identity (email address) does not equal the sender address as shown by
the mail client. Trojitá choses the later option which is hard to implement in
a secure way.
*** Proof of Concept ***
Please find attached various proof-of-concept emails which allows an attacker
to gain a `valid signature' getting displayed by Trojitá even though the shown
sender address does not equal the actual signer address.
*** Countermeasures ***
It can be considered as a good practice to explicitly show *signed-by-whom*
directly in the UI when displaying a PGP signed message. A comparison to the
*From:* or *Sender:* header fields may not be sufficient because this approach
is error prone.
Feel free to contact me for any questions.
Greetings,
Jens Mueller
--
M.Sc. Jens Mueller
Research Assistant
Chair for Network and Data Security, Ruhr-University
Universitaetsstr. 150
Building ID 2/415
D-44780 Bochum
Phone: +49 (0) 234 / 32-29177
--
You are receiving this mail because:
You are watching all bug changes.
