- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 2 Feb 2005 20:08:54 +0100
- To: fenton@cisco.com, mat@cisco.com
- Cc: ietf-mailsig@imc.org
There seem to be two security-relevant vulnerabilities in draft-fenton-identified-mail-01.txt. 1. MIME. When a site sends e-mail with the body length count different from -1, then an attacker can change the message's "Content-Type" header to "multipart/mixed" with a boundary parameter that occurs nowhere in the message's body. The attacker can then proceed to append a valid MIME multipart body to the message without invalidating the IIM signature. According to section 5.5.1, of RFC 2046, receiving agents will have to ignore the original signed message's content, and display only the material appended by the attacker. One cure to this attack would consist in using multipart/signed messages, as PGP/MIME and S/MIME do. 2. Fingerprints. The key fingerprint used by IIM seems to be based on concatenating the public exponent's and modulus' bit strings, without any indication where one begins and the other ends. Hence, it is possible for an attacker to shift the limit between the two. The attacker then obtains a number of candidate (exponent, modulus) pairs that will lead to the same fingerprint; notably, the modulus in these candidate pairs can be choosen much shorter than the original one. The attacker can then search fora modulus that has two divisors, and generate the corresponding private exponent. This attack was described at [1], as an attack on the PGP 2 public key fingerprint design. To fix this attack, it would be useful to use a fingerprint format that makes sure that no bits can be shifted between the public exponent and the RSA modulus. 1. http://cypherpunks.venona.com/date/1997/06/msg00523.html Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 2 February 2005 19:22:32 UTC