The problem could allow the recipient of a signed and encrypted e-mail to forward the message to a third party, while making it seem as if the original sender mailed the message directly. If the message contained, say, trade secrets and the third party was a competitor, the technique could be used to, among other things, frame a co-worker.
"The recipient is liable to assume that encryption security guarantees that no one but the sender has seen the mail, but encryption experts know that isn't true," said Don Davis, corporate architect for security at Web application firm Curl, who will present his findings at the USENIX Technical Conference in Boston.
The flaw, which has been well known in encryption circles for years, rests in the common method of sending secure e-mail. Digitally signing the text and then encrypting the message so only the recipient can read it only guarantees who wrote the message and who can read the message, not who sent it.
That may seem like mincing words, but in the world of encryption, such small differences can become large security holes.
However, many encryption experts have questioned how large of security hole the problem presents.
"I have a problem with him calling this a flaw," said Jeff Schiller, security area director for the Internet Engineering Task Force, the group responsible for setting standards on the Internet. "It's like saying the problem with houses with locks is that there are also windows."
For Davis, the issue is one of context.
If the sender makes statements in a signed message that are not clearly addressed to the recipient or have the context stated in the subject line, the recipient could use surreptitious forwarding to send an incriminating e-mail.
For example, if a company consists of co-workers Alice and Bob and their boss Charlie, Alice might send Bob a message with the subject "If there was no hunger..." and the body text "the world would be a better place. -Alice"
Bob could surreptitiously forward the message to Charlie and change the subject line to say "If you were dead..." without invalidating Alice's signature on the original body of the text. The result: Charlie believes Alice sent him a message anticipating his demise.
While largely theoretical, opportunities to exploit the flaw abound. The flaw has crept back into oft-used encryption standards, Davis explained, undermining the degree to which a person can trust an e-mail message's apparent source.
Common encryption standards, such as Pretty Good Privacy, S/MIME, MOSS, Privacy Enhanced Mail and PKCS#7, have all incorporated the flaw. Applications based on those standards could fall prey to surreptitious forwarding.
"The context of the network has changed out from under the developers of the code," Davis said. "The Net is populated by very naive users, who believe software makers' claims. The products are not delivering on their promise, though."
Perhaps more threatening is that recent digital-signature laws have assumed that such signed and encrypted messages are so secure that consumers should be held liable for any use of their signature.
"Part of the concern is that we shouldn't put too much liability on the user," said Alan Davidson, associate director with the Center for Democracy and Technology. "This highlights the reason why you wouldn't want the user to have that kind of burden. You would prefer the situation where the incentive, including the liability incentive, lies with the technology provider."
But others point out that putting more context in messages easily solves the problem. Putting "Dear Bob" in the previous message, for example, would prevent Bob from surreptitiously forwarding the message to a third party.
"This is not a crypto flaw. This is an engineering flaw," said one encryption expert posting on the Cryptography mailing list, where news about the flaw was first posted. "The simple fix would be to include the appropriate mail headers within the signed portion of the message. In particular, including the 'To' and 'Cc' fields would immediately protect against both of these attacks."
Curl's Davis agreed that users who educate themselves about the danger should be able to protect themselves.
"Make sure you put at least the salutation into your messages that you sign and encrypt," he said. "It is a good idea to duplicate the entire mail header."
Just like people don't send mail that simply says, "No," people should not send e-mail without context, said Ian Goldberg, chief scientist with encryption and privacy service provider Zero Knowledge Systems.
"I don't think it's a very big problem," he said.
A better solution would be for the standards to include such information on their own, he said, adding that he is already talking to the S/MIME standards group to revise the security in that standard.