Two Identified Internet Mail Vulnerabilities

There seem to be two security-relevant vulnerabilities in
draft-fenton-identified-mail-01.txt.

1. MIME.  When a site sends e-mail with the body length count
different from -1, then an attacker can change the message's
"Content-Type" header to "multipart/mixed" with a boundary parameter
that occurs nowhere in the message's body.  The attacker can then
proceed to append a valid MIME multipart body to the message without
invalidating the IIM signature. According to section 5.5.1, of RFC
2046, receiving agents will have to ignore the original signed
message's content, and display only the material appended by the
attacker.

One cure to this attack would consist in using multipart/signed
messages, as PGP/MIME and S/MIME do.

2. Fingerprints.  The key fingerprint used by IIM seems to be based
on concatenating the public exponent's and modulus' bit strings,
without any indication where one begins and the other ends.  Hence,
it is possible for an attacker to shift the limit between the two.
The attacker then obtains a number of candidate (exponent, modulus)
pairs that will lead to the same fingerprint; notably, the modulus
in these candidate pairs can be choosen much shorter than the
original one.  The attacker can then search fora  modulus that has
two divisors, and generate the corresponding private exponent.  This
attack was described at [1], as an attack on the PGP 2 public key
fingerprint design.

To fix this attack, it would be useful to use a fingerprint format
that makes sure that no bits can be shifted between the public
exponent and the RSA modulus.

1. http://cypherpunks.venona.com/date/1997/06/msg00523.html

Regards,
-- 
Thomas Roessler, W3C   <tlr@w3.org>

Received on Wednesday, 2 February 2005 19:22:32 UTC