PGP: sequencing messages

Trevor Smith pmmail@rpglink.com
Wed, 05 Apr 2000 11:30:58 -0300 (ADT)


On Tue, 04 Apr 2000 23:52:21 +0000, John Drabik wrote:

>require EVERY outbound message to have a unique ID.  Here's the idea
>(and the problem):

To start with, every outbound message you send *does* have a unique
ID number in its header (as I understand the email standard). For
example, your message to this list says:

Message-Id: <E12ciw9-0000kp-00@mail.xmission.com>

This probably is not good enough for you for a few reasons.

1. You won't see it unless you Cc: or Bcc: yourself since it is added
by your mail server and not your personal email client.

2. Anyone could change it and then forward the message and there is
no way to prove this has happened without involving your ISP and then
you have to rely on their integrity.

So, let's move on to the next possibility. Simply PGP signing every
outgoing message (or just the ones to the people you're concerned
about) will result in every outbound message having a unique ID.
Statistically speaking, no two PGP signatures can EVER be identical
-- even for identical text. For example, I just sent two PGP signed
messages to myself within seconds of each other and with exactly the
same text ("Here is a test."). Here are the two signatures:

Sig1:

iQEVAwUBOOspGaLsp62StQIRAQFcggf/YwF800YjLzZ3ApwEMSAgitvyf1C6Imfk
w8PAYZvTmpWxR04OQYjr6wcPCts/qHyRp1RTnKdAeBI0hNYEkaNq8dQp3FVyYydg
cgWukvcMml/Qs29BS8WX6SkqF0DwQBfrhYFFVUe94lOm5uldqrFCYu7t8rkbtRdf
Bx2T7qWGzMlNOHE/9x7b2Wkh9rtkyIJaiXhjKXuh0jA8JjCAXElIwauatOy33OCK
OYG4/nx1OM1A6nd2SkPlGqe9pAkvdGagqHfCZt2Turx2V3p7NQLsqYdSlMKR/tYQ
PvSlxvmk75UPaiTZ6kHNZD9iKu1BFcVK5uW1JL66WuhRC4Jq3Eg/qQ==
=SEDn

Sig2:

iQEVAwUBOOspIaLsp62StQIRAQFhfggAqAVx7VvEY1TzlDjd4WS8vl77PIdtN8l+
76+gLN3LUNIDeMlWF3BMGZbf6Ro76HK/siWnGGGItP2cAMPlJJPT+Ytc7h1BRj8s
nJnQbORrG0O4ItqFRTBPqUIHnGappxBBMviA1Y4tof5r+KN6DxghGzJWmnrk+InC
wFDNwYSzKYNO1FqWMU94JAzIvqWW113HhNK+NL4HQX3mNxGJz2I99yHeoc8LreHD
7Pc55RVu9XEh0EKrtJFn4HpvlNiFMkyUeC529mVJHXnpWkx7ZLba+S2vlTpciZln
OSNj18gk+vqZterJnUSja8elQabgYOjGCtsn13fDf0/Z2RulK2NMMA==
=6ayi

What are the drawbacks to PGP signing your messages as far as I
understand your requirements?

Drawback #1.
There is no indication in a PGP signature *who* the message was
originally sent to. (PGP signatures sign *only* the body, not the
headers of a message.) However, inserting an encrypted serial number
into messages would not be any better for this purpose since serial
numbers alone will not identify someone unless you're generating the
serial number based on the person's name.

Most likely you would just keep the original emails for your future
identification of which serial numbers went to which recipients at
which times. PGP signatures could be used with the same method and
are much easier to implement in PMMail/2.

In fact, if you follow three steps with all your email sending, you
can have some measure of protection (I'm not sure it would stand up
in court but...):

  a) Add, in the *body* of each email, something simple which
  identifies the sender and the date/time. This could be something
  like:

    March 5, 2000         10:05am
    Dear Bob,

    [...rest of message...]

    Sincerely,
    John

  b) Add yourself to the Cc: or Bcc: list so you receive a copy from
  the mail server.

  c) PGP sign the message.

Now you have a PGP signed message and you know the unique message id
assigned to it by your mail server because you received a copy. The
only way for someone to modify the message body without it being
immediately revealed by the PGP signature is to entirely remove the
PGP signature. Your copy will show that the PGP signature was there
in the first place, however, and if the recipient claims you only
added the PGP signature later, you can threaten to ask your ISP to
dig up the original email in their archives. Many (most?)
ISPs/network admins keep archives of emails sent for up to 6 months
(or more).

Drawback #2.
It will be obvious to the recipient that the message was PGP signed.
If he understands PGP signing, he will know there is no way he can
modify a PGP signature (assuming the sender has PGP set up properly
and has generated a secure key).

It seems to me that you would prefer that the recipient not know that
the message was "tamper-proof" for some reason. Is this correct? If
you just don't want people to feel distrusted, you could simply turn
PGP signing on for *all* outgoing messages. Or you could simply
explain (or add a line in your sig) that you sign all messages so
your recipients can know they're from you (i.e. for *their*
protection).

>But it must contain
>some type of data that uniquely ties the message to a particular,
>original, recipient.

I think this can only ever be done to *your own* satisfaction. I do
not think there is any way to create a message that could later be
proven to *everyone* that it was sent to a certain person at a
certain date/time (short of maybe buying the services of a
certificate authority?).

>Later, suppose that person B forwards my message to somebody else. 
>If that message comes back to me later, I'd be able to tell that it
>was person B who sent the message to the third-party.  On the other

But if all you want is the above (for *you* to be able to tell it
came from person B), just use a PGP signature and keep all your sent
messages somewhere. Then check the date/time in the PGP signature of
the forwarded message with the date/time the original message was
sent. Or use my earlier suggestion about adding the person's name to
the body of the email before PGP signing it.

>hand, if the "signature" was removed, it could be legitimately
>claimed that the message had been modified, and the burden of proof
>as to how or when then falls on the person who sends the message to

And this is exactly what you'll get with PGP. If the PGP signature is
removed you'll know the message has been modified and can challenge
the sender.

On a side note, there's no good way for you to prove to anyone that
you did originally PGP sign the message. PGP signatures contain a
date/time stamp but anyone can set their computer's clock back, sign
a message and then claim it was done in 1998 -- even though it was
really only added in 2000, years after the original message was
composed.

>me.  The hope is that they wouldn't even notice the "tag", thinking
>it to be some part of the signature line, but not as obvious as "PGP
>key: xxxxxxx" or some such thing.  But even if they did, the message
>would still be obviously destroyed or tampered with, and the
>legitimacy could be immediately challenged.

In the end, I think the only benefit of sneaking in a small id number
would be the hope that someone would not notice/understand it and
then pass it along, intact, in their attempt to spoof you. If you
think that this is likely to happen, PGP signatures are not for you
since the spoofer will likely know enough to remove the PGP
signature.

To sum up:

If you can live with some people realizing the message is unique, PGP
sign it and include the date/time and the person's name in the body
of the message.

If you're *really* concerned that the recipient not notice the
attempt to make the message unique, and you are satisfied with an
"insecure" identifier (one that isn't cryptographically generated
based on the contents of the message), I would recommend something
like this:

Generate your unique id as a "binary" string of characters, for
example, something like one of these:

=-=-==---=-==----=--===-=-=-=--==--===---=-=--

=:=:==:::=:==::::=::===:=:=:=::==::===:::=:=::

:-:-::---:-::----:--:::-:-:-:--::--:::---:-:--

:.:.::...:.::....:..:::.:.:.:..::..:::...:.:..

:|:|::|||:|::||||:||:::|:|:|:||::||:::|||:|:||

|!|!||!!!|!||!!!!|!!|||!|!|!|!!||!!|||!!!|!|!!

:!:!::!!!:!::!!!!:!!:::!:!:!:!!::!!:::!!!:!:!!

One of these lines could easily be stuck at the top and bottom of a
signature without anyone realizing what they're for. People might
catch on if they start to compare messages over time though.

Forget about encrypting the unique id, that will make it too big and
too obvious. If you're going to make it obvious, you'd be better off
with PGP signatures.



-- 
 Trevor Smith          |          trevor@haligonian.com
 PGP public key available at: www.haligonian.com/trevor

PGP Public Key Fingerprint= A68C C4EC C163 5C0A 6CFA  671F 05D4 0B30 318B AFD6