RE: [PLUG] gpg spoof?

Charles Stack on Tue, 9 Sep 2003 16:13:17 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] gpg spoof?

From: "Charles Stack" <charles.stack@verizon.net>

To: <plug@lists.phillylinux.org>

Subject: RE: [PLUG] gpg spoof?

Date: Thu, 4 Sep 2003 09:18:35 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

You may be the would be victim of an spoof or potential identify theft. There are multiple ways to forge encrypted e-mail and signatures. It is possible as well that by sending you a signed message, your response to that message could afford a would-be attacker with a known plaintext attack against your certificate. It's possible that Erin's certificate has already been compromised. I would suggest that both you and Erin change your certificates. Charles -----Original Message----- From: plug-admin@lists.phillylinux.org [mailto:plug-admin@lists.phillylinux.org]On Behalf Of Jeff Abrahamson Sent: Thursday, September 04, 2003 08:40 AM To: PLUG Subject: [PLUG] gpg spoof? I received an encrypted and signed email which I decrypt and verify by piping through gpg (no options). The output looked like below (the part indented by two spaces). In mutt, I type "|gpg<return>" Now, I don't suspect Erin was trying to spoof me, and she had enclosed a semi-random string that I had encrypted to her. So this one case doesn't bother me. But, in general, how can I distinguish between the end of the encrypted message and the beginning of the "gpg: Signature ..." stuff? Couldn't someone just include such a (forged) signature block at the end of their message, then encrypt the whole thing without signing, and so convince me that the message was signed by someone else? You need a passphrase to unlock the secret key for user: "Jeff Abrahamson <jeff@purple.com>" 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B) gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28 "Erin Mulder <meara@alumni.princeton.edu>" gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 "Jeff Abrahamson <jeff@purple.com>" Hi Jeff, It was great meeting you all. Thanks for signing my key. Cheers, Erin Jeff Abrahamson wrote: > Hi, Erin. > > Could you please respond to this message, signed and encrypted, so > that I know you are who you say you are? > > Here's a semi-random string to include in your response: > > 153758709bcbdfc23f745c0b4656939632cfb6df > > Thanks. > gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8609 5F8C E335 F93F 40CC 14B8 10FA 4C88 A54D A2DF -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] gpg spoof?
From: Eugene Smiley <eugene@esmiley.net>

References:

[PLUG] gpg spoof?
From: Jeff Abrahamson <jeff@purple.com>

Prev by Date: Re: [PLUG] comprehensive apt-get

Next by Date: [PLUG] diskless linux

Previous by thread: Re: [PLUG] gpg spoof?

Next by thread: Re: [PLUG] gpg spoof?

Index(es):

Date

Thread