Vulnerability Development mailing list archives
Re: PGP spoof decrypted output?
From: Rich Henning <vulnerable () fast net>
Date: Fri, 7 Jun 2002 12:42:41 -0400
On Fri, Jun 07, 2002 at 08:56:30AM -0500, McAllister, Andrew wrote:
What result would you expect? The data I encrypted or the data the hacker appended? The answer: No warnings, no errors, just the data that the hacker APPENDED to my PGP encrypted file. Not the original signed and encrypted file itself. This seems like a bug to me, no? I've found that if you ASCII armor the file, the result is as expected after decryption. You get only the originally encrypted file. I have not tested gpg or pgpi or older versions, just the NAI PGP available from the MIT download site. Anyone care to test the other implementations?
I was unable to reproduce this behavior using GPGv1.0.6 on linux-2.4.18 x86 in fact, i was even warned that the encrypted message was modified: $ cat TESTFILE2 this is a pgp encrypted file $ gpg -es TESTFILE2 ... ... $ echo "APPENDED" >> TESTFILE2.gpg $ gpg --decrypt TESTFILE2.gpg ... ... gpg: encrypted with 1024-bit ELG-E key, ID A873F010, created 2001-10-18 "Richard Henning <henninrp () fast net>" this is a pgp encrypted file gpg: Signature made Fri Jun 7 12:32:16 2002 EDT using DSA key ID 8B036609 gpg: Good signature from "Richard Henning <henninrp () fast net>" gpg: WARNING: encrypted message has been manipulated! -- [ rich henning ] /"\ [ henninrp () fast net ] \ / X support the ascii ribbon campaign against html e-mail / \ pgp: http://diss0nance.lawngnome.org/pgp_public.txt
Current thread:
- PGP spoof decrypted output? McAllister, Andrew (Jun 06)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- Re: PGP spoof decrypted output? Brian Hatch (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 10)
- Re: PGP spoof decrypted output? Rich Henning (Jun 10)
- Re: PGP spoof decrypted output? Roger Burton West (Jun 08)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- <Possible follow-ups>
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- RE: PGP spoof decrypted output? Tony (Jun 07)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- RE: PGP spoof decrypted output? Lincoln Yeoh (Jun 07)
- Re: PGP spoof decrypted output? Benjamin Elijah Griffin (Jun 10)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 10)
- Re: PGP spoof decrypted output? Jamil Ozelin (Jun 11)