Jeff Abrahamson on Thu, 4 Sep 2003 08:43:47 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] gpg spoof?


I received an encrypted and signed email which I decrypt and verify by
piping through gpg (no options). The output looked like below (the
part indented by two spaces).

In mutt, I type "|gpg<return>"

Now, I don't suspect Erin was trying to spoof me, and she had enclosed
a semi-random string that I had encrypted to her. So this one case
doesn't bother me.

But, in general, how can I distinguish between the end of the
encrypted message and the beginning of the "gpg: Signature ..." stuff?
Couldn't someone just include such a (forged) signature block at the
end of their message, then encrypt the whole thing without signing,
and so convince me that the message was signed by someone else?

  You need a passphrase to unlock the secret key for
  user: "Jeff Abrahamson <jeff@purple.com>"
  2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B)

  gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28
	"Erin Mulder <meara@alumni.princeton.edu>"
  gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02
	"Jeff Abrahamson <jeff@purple.com>"
  Hi Jeff,

  It was great meeting you all.   Thanks for signing my key.

  Cheers,
  Erin

  Jeff Abrahamson wrote:
  > Hi, Erin.
  > 
  > Could you please respond to this message, signed and encrypted, so
  > that I know you are who you say you are?
  > 
  > Here's a semi-random string to include in your response:
  > 
  >     153758709bcbdfc23f745c0b4656939632cfb6df
  > 
  > Thanks.
  > 
  gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF
  gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 8609 5F8C E335 F93F 40CC  14B8 10FA 4C88 A54D A2DF


-- 
 Jeff

 Jeff Abrahamson  <http://www.purple.com/jeff/>
 GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B

Attachment: pgpvJDNBrTHoP.pgp
Description: PGP signature