-----BEGIN PGP SIGNED MESSAGE----- At 09:58 PM 6/5/99 -0400, Ryan Lackey wrote: >I saw a piece of news which increased my interest in Outlook -- allegedly, >microsoft is preparing a version for UNIX as part of a US DoD contract >which specifies UNIX as a messaging platform (for security reasons, >primarily). I'm sure everyone is familiar with the "Rainbow Books", >published by the National Computer Security [Association? Administration?]. NCSC, National Computer Security Center, the NSA one. The Rainbow series is obsolescent, the Common Criteria are the new way of thinking. >This is where they specify security levels D1, C1-3, B1-3, and A1, standards >for limiting bandidth on covert channels, password generation guidelines, >etc. They additionally develop several important definitions -- >the difference between Mandatory and Discressionary Access Controls, >formal methods for qualifying systems at various security levels, >and IMO the most important, the concept of a "Trusted Computing Base". > SNIP >However, the number of MS Outlook users >in the world is very large, and I would hazard to guess that most >PGP users who use MS Outlook believe they have a fair level of security >as a result. > >I do not believe this is the case, at least for PGP signature checking >in Outlook. > SNIP > >What MS Outlook appears to do is display status information about >signature checking on messages in the mail message frame itself, >indistinguishable from ordinary text. The obvious attack is to send >a user unsigned mail (it could be encrypted, to add additional >legitimacy to the attack) with text at the beginning of the message >simulating the output of signature checking on the recipient's >computer. This can be done fairly convincingly -- it is hard to get >the timestamp exactly correct, but few users check the details >thoroughly if the message appears normal.. > SNIP > >The solution, of course, is to more rigorously separate tcb-trusted from >crypto-trusted systems and components of systems, and to ensure that the >gateways between the trusted environment (user I/O devices, at the very >least, unless your users can do sha1 in their heads) and the trusted >cryptography are very carefully designed to take into account possible >incompatibilities in both world's trust models. Or a more simple solution might be to go into PGP's Preferences and make sure the box, "Automatically decrypt/verify when opening messages" on the Email tab is *unchecked.* The PGP plugin for both Eudora and Outlook seem to behave in the same way. When you receive either encrypted or signed mail and do not use the automatic feature, you see the PGP header line and either the cyphertext or the signature block. The operator then clicks on the Decrypt/Verify button on the toolbar and only then does PGP do it's thing and create the block that appears like this: *** PGP Signature Status: good *** Signer: David Kennedy [NCSA] <[EMAIL PROTECTED]> *** Signed: 5/27/99 2:39:09 PM *** Verified: 6/6/99 1:59:12 AM *** BEGIN PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQCVAwUBN1oOqvGfiIQsciJtAQHhVQP/RiqQDNYLrFY6exTXJkfK087lsNYiGkdk S79fQAoUwpWVS9P+1fwOIxPX50f4Yb6NRlKxJ+WOPONPwXCaOmHtt2UQ3RroLfL4 vuYhprjaA09XoQYJghn7cizI4q8G6Q9QdcYeTAAKbrA1S16UVsM/NJk8qC8Lqgwd 9dQjBDQWJPA= =ikPr -----END PGP SIGNATURE----- Regards, Dave Kennedy CISSP Director of Research Services, ICSA Inc. http://www.icsa.net Protect what you connect. Look both ways before crossing the Net.
