Charles Stack on Tue, 9 Sep 2003 16:13:17 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] gpg spoof?

You may be the would be victim of an spoof or potential identify theft.
There are multiple ways to forge encrypted e-mail and signatures.  It is
possible as well that by sending you a signed message, your response to that
message could afford a would-be attacker with a known plaintext attack
against your certificate.  It's possible that Erin's certificate has already
been compromised.

I would suggest that both you and Erin change your certificates.


-----Original Message-----
[]On Behalf Of Jeff Abrahamson
Sent: Thursday, September 04, 2003 08:40 AM
Subject: [PLUG] gpg spoof?

I received an encrypted and signed email which I decrypt and verify by
piping through gpg (no options). The output looked like below (the
part indented by two spaces).

In mutt, I type "|gpg<return>"

Now, I don't suspect Erin was trying to spoof me, and she had enclosed
a semi-random string that I had encrypted to her. So this one case
doesn't bother me.

But, in general, how can I distinguish between the end of the
encrypted message and the beginning of the "gpg: Signature ..." stuff?
Couldn't someone just include such a (forged) signature block at the
end of their message, then encrypt the whole thing without signing,
and so convince me that the message was signed by someone else?

  You need a passphrase to unlock the secret key for
  user: "Jeff Abrahamson <>"
  2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B)

  gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28
	"Erin Mulder <>"
  gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02
	"Jeff Abrahamson <>"
  Hi Jeff,

  It was great meeting you all.   Thanks for signing my key.


  Jeff Abrahamson wrote:
  > Hi, Erin.
  > Could you please respond to this message, signed and encrypted, so
  > that I know you are who you say you are?
  > Here's a semi-random string to include in your response:
  >     153758709bcbdfc23f745c0b4656939632cfb6df
  > Thanks.
  gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID
  gpg: Good signature from "Erin Mulder <>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the
  Primary key fingerprint: 8609 5F8C E335 F93F 40CC  14B8 10FA 4C88 A54D


 Jeff Abrahamson  <>
 GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B

Philadelphia Linux Users Group        --
Announcements -
General Discussion  --