Watermarking returns+ graphical signatures

Glenn Steen glenn.steen at gmail.com
Fri Jul 13 23:22:46 IST 2007


On 13/07/07, --[ UxBoD ]-- <uxbod at splatnix.net> wrote:
> Glenn,
>
> Have it installed now, and the fact that MD5 is being used then I would
> imagine very secure.  I have not looked at the code yet to see how easy it
> would be to reverse engineer, but I reckon that all is good.

MD5 is OK as hash function, yes. but it is only that.... no magic at
all... If the things you are hashing are easily determined (except for
a simple secret), then you would be open to a brute force attack on
that part (the secret... This is why it is still imperative to protect
your password hashes, even if you do use MD5 passwords;-).
In this particular case I'm thinking that Matt&Jules probably have
added enough, as long as everything isn't readable from the message.
What makes it likely a useable thing is the expiry, which is what I'll
have to look more closely at (I'm thinking this thing could be very
useful for setups like mine... small to medium corporate thingies...
So I really want this to be workable:-). I'll perhaps get some time
next week for code review:-).

> I am still disappointed that no one has posted the patent pending number
> for the FSL solution.  Would be very intestering reading, especially due to
> what this watermark is doing and without effecting the US patent ie.
> additional header and encrypted with key.
The small frustrations of life, I guess....:-):-)

> Regards,
>
> On Fri, 13 Jul 2007 21:01:18 +0200, "Glenn Steen" <glenn.steen at gmail.com>
> wrote:
> > On 13/07/07, Matt Hampton <matt at coders.co.uk> wrote:
> >> Sattler, Tim wrote:
> >> > Julian Field wrote:
> >> >
> >> >> Firstly, the watermarking functionality has returned. But this time
> > it
> >> >
> >> >> is implemented differently so is safe from all patent problems. It is
> >> >> implemented in pretty much the same way that milter-null does it.
> >> >
> >> > We have two MailScanner gateways both handling incoming and outgoing
> >> > mail, so the reply to a message does not necessarily come in the
> >> > same way the message went out. Does the watermarking functionality
> >> > work in such a setup as well?
> >>
> >> Yes - the hash is calculated on the envelope from and then various
> >> headers within the the message itself and combined with your secret and
> >> a timestamp. It is then added as a header.
> >>
> >> When the message comes back in it uses the envelope to and then looks
> >> for the headers in the message body and checks the match and the expiry.
> >>
> >> matt
> >>
> > Right, so how crackable will this be? Some of the headers will be ever
> > the same, as will the secret... I suppose you've added in some headers
> > that will change? and something else? so that it isn't obvious, with a
> > little knowledge, how to brute force the secret... and then have a
> > "highway" past MailScanner... Which would be, obviously, very bad...:)
> >

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list