https://bugs.kde.org/show_bug.cgi?id=399050
Bug ID: 399050 Summary: Signature spoofing in PGP encrypted email (ID layer) Product: trojita Version: unspecified Platform: unspecified OS: Linux Status: REPORTED Severity: minor Priority: NOR Component: Cryptography Assignee: trojita-b...@kde.org Reporter: jens.a.mueller+...@rub.de Target Milestone: --- Created attachment 115220 --> https://bugs.kde.org/attachment.cgi?id=115220&action=edit Testcase 'display name' Dear Trojitá Devs, In the scope of academic research we discovered a (minor) PGP signature validation issue in Trojitá based on how Trojitá matches a signed message to a sender's identity. *** Prerequirements *** This attack requires three parties: Alice, Bob and Eve. Bob trusts Alice and Eve. He has both public keys imported to be able to verify their PGP signed messages. The attacker -- Eve -- is successful if she can send an email signed by herself while Bob's mail client shows the email as signed by Alice on the first level of the UI -- i.e. by just viewing the email without further investigating the signature details or performing a forensic analysis. *** Attack Description *** When dealing with digital signatures, the question of *signed by whom* is an important one. If Bob's mail client simply displayed `valid signature' once a PGP signed message is received, Eve could sign her message and send it to Bob with Alice set as the sender. This is due to a lack of binding between the user ID derived from the PGP signature and the address given in the *From:* header. There are two options to handle this problem: First, a mail client can explicitly display the signer's identity somewhere in the UI and let the user compare it to the sender address. Secondly, a warning can be shown if the signer's identity (email address) does not equal the sender address as shown by the mail client. Trojitá choses the later option which is hard to implement in a secure way. *** Proof of Concept *** Please find attached various proof-of-concept emails which allows an attacker to gain a `valid signature' getting displayed by Trojitá even though the shown sender address does not equal the actual signer address. *** Countermeasures *** It can be considered as a good practice to explicitly show *signed-by-whom* directly in the UI when displaying a PGP signed message. A comparison to the *From:* or *Sender:* header fields may not be sufficient because this approach is error prone. Feel free to contact me for any questions. Greetings, Jens Mueller -- M.Sc. Jens Mueller Research Assistant Chair for Network and Data Security, Ruhr-University Universitaetsstr. 150 Building ID 2/415 D-44780 Bochum Phone: +49 (0) 234 / 32-29177 -- You are receiving this mail because: You are watching all bug changes.