Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!usc!elroy.jpl.nasa.gov!ames!sgi!fido!bolyard.wpd.sgi.com!nelson
From: nelson@bolyard.wpd.sgi.com
Subject: the trusted public-key distribution problem
Message-ID: <gltrg00@fido.asd.sgi.com>
Summary: keys in signatures aren't good enough
Originator: nelson@bolyard.wpd.sgi.com
Sender: news@fido.asd.sgi.com (Usenet News Admin)
Reply-To: nelson@sgi.com
Organization: Silicon Graphics, Inc., Mountain View, CA
References: <10297@cactus.org> <1992Jan31.194242.14474@talon.ucs.orst.edu>
Distribution: na
Date: Tue, 4 Feb 1992 23:57:19 GMT
Lines: 127

johng@oce.orst.edu (John Gregor) writes:
>In article <10297@cactus.org> ritter@cactus.org (Terry Ritter) writes:
> 
>>  If I broadcast my public key over a network, it is possible that my
>>  key may be deliberately modified in transit -- changed, in fact, to
>>  someone else's key.  Then any response to me which uses the changed key
>>  may be deciphered and then re-enciphered in my correct key before I see
>>  it.  And neither I nor my correspondent need be any the wiser.
>
>Not necessarily.  If you encrypt your message (or at least your
>signature) with both the other party's public key AND your private key
>then the person in the middle won't be able to spoof unless he has
>intercepted both party's broadcasts or cracked both of their private
>keys.  
>
>If you include in this doubly encrypted area the public key of the
>party you are sending to, then the spoofer will be unable to intercept
>and forward messages unless he has broken both private keys.  Even if
>he has seccessfully intercepted both broadcasts, he would only be able
>to intercept the first communication.  But he would be unable to
>forward it to the other party as he would be unable to re-encrypt the
>body with the correct public key in place.
>
>Or have I missed something?

I agree with Terry's scenario.  It's not merely academic or theoretical,
this kind of thing goes on today!  

For example, this month, a fidonet system began to gateway postings to and
from the usenet newsgroup comp.org.eff.talk.  The fidonet system had
software to generate usenet and internet-style mail addresses on behalf of
fidonet users, and placed those addresses onto postings that originated
from fidonet, so that usenet and internet folks could use their mailers to
reply to fidonet posters.  Unfortunately, this gateway began to forward
usenet articles from one usenet site to another, and it changed those
articles also.  It took usenet articles, and sent them out with completely
different from/reply addresses.  It generated a "signature" on the bottom
of each message that looked so much like an ordinary signature that it was
hard to tell.  It made usenet and internet users appear to have become
fidonet users, manufacturing and appending very authentic looking 
"signatures".

Here's an actual axample of the header and signature from one such posting
that actually originated here at sgi.com by a coworker:

Path: fido!shinobu!sgi!mips!sdd.hp.com!wupost!uunet!bu2.bu.edu!bu.   
>+     edu!wang!wizvax!buscard!p0.f10.n396.z1.FIDONET.ORG!Eliot.   
>+     Lear                                                       
>From: Eliot.Lear@p0.f10.n396.z1.FIDONET.ORG (Eliot Lear) 
>Newsgroups: comp.org.eff.talk 
>Subject: Re: UC computer searches (was Re: hackers, crackers,
>+        privacy on KQED)
>Message-ID: <2762.297362E1@buscard.FIDONET.ORG>
>Date: 11 Jan 92 04:11:00 GMT
>Sender: ufgate@buscard.FIDONET.ORG (newsout1.26)
>Organization: FidoNet node 1:396/10.0 - Minas Tirith, New Orleans LA
>Lines: 18
  [ original text deleted ]
>--- Fred-Uf 1.8k
>* Origin: mintir.fidonet.org, New Orleans' fido<->uucp gateway
>(1:396/10.0)
>
>--  
>Eliot Lear - via FidoNet node 1:324/121 (UUCP/UseNet<->FidoNet gateway)
>UUCP:  wizvax!buscard!396!10.0!Eliot.Lear
>ARPA:  Eliot.Lear@p0.f10.n396.z1.FIDONET.ORG

Now, notice that _all clues_ that this user was _really_ lear@sgi.com and
not Eliot.Lear@p0.f10.n396.z1.FIDONET.ORG are removed from this message.
The sender, message id, organization all were changed.   I looked at that
3 line signature at the end and found it so convincing that I thought
Elliot must've become a fidonet user, and sent him mail asking why he used
a fidonet host in New Orleans when he's got usenet right here in Mountain
View.  When I got his reply, which explained that the article had originally
been locally posted on usenet, my eyes were opened.

Now, to answer your question/suggestion about encrypting the public keys 
in the message: the danger exists.

Suppose that Elliot's original article had had a public key listed as part
of his signature.  It would be very easy for the same software to have
made up a new (false) public/private key pair, and to have put the new
false public key in the signature.  Since the generated reply addresses
in the false-signature point back to the system that made the
substitution, any replies sent to those addresses go back to that system.
If two correspondents knew of each other only through postings and mail
that passed thru such a gateway, the gateway could systematically replace
all public keys in signatures with ones of its own.  

To return to your scenario, imagine your two correspondents, Alice and
Bob.  Alice sends a message to Bob via this gateway, encrypting it in her
private key and the false public key for Bob that was generated by the
gateway, that she read in Bob's false signature.  The gateway receives
Alice's message, and decrypts it using Bob's false private key and also
with Alice's real public key.  Then it re-encrypts the message using
Alice's false private key and Bob's real public key.  Bob receives the
message, decrypts it with his real private key, and with Alice's false
public key, which he finds in her signature.  The gateway never needs to
break any of the real private keys.  It only needs to make sure that Alice
and Bob never see each other's _true_ public keys.

Now to address one last point: What if Alice includes a copy of her public
key and Bob's false public-key (which she believes is Bob's true public
key) somewhere in the body of one of her mail messages.  Won't Bob notice
that these values don't match the values that he has?

Given that the gateway is doing all this decryption and encryption, for it
to also grep through the decrypted document looking for either sender or
recipient's public key would add negligible overhead.  So the gateway
looks for these keys in the body of the document and modifies them there.

Finally, what would make her suspect phony keys?  If Bob was a coworker,
she might wonder (as I did) about the strange return address.  But what if
she was only replying to a usenet posting?  What would make her suspect?

Conclusion: I once thought that all the stuff about trusted public KDCs
was an overgrown molehill, and that public keys in signatures was
sufficient.  But now I'm convinced that this problem needs a good solution.

I still reject, however, the notion that a trusted KDC must be allowed to
generate the public/private key pairs it disseminates (which I understand
to be part of the PEM proposal).  I still want a KDC that disseminates the
public key that I give it.
--
Nelson Bolyard      nelson@sgi.COM      {decwrl,sun}!sgi!whizzer!nelson
Disclaimer: Views expressed herein do not represent the views of my employer.
--
