On Fri, Jun 07, 2002 at 08:56:30AM -0500, McAllister, Andrew wrote: > What result would you expect? The data I encrypted or the data the hacker appended? The answer: No warnings, no errors, just the data that the hacker APPENDED to my PGP encrypted file. Not the original signed and encrypted file itself. This seems like a bug to me, no? > I've found that if you ASCII armor the file, the result is as expected after decryption. You get only the originally encrypted file. I have not tested gpg or pgpi or older versions, just the NAI PGP available from the MIT download site. Anyone care to test the other implementations? I was unable to reproduce this behavior using GPGv1.0.6 on linux-2.4.18 x86 in fact, i was even warned that the encrypted message was modified: $ cat TESTFILE2 this is a pgp encrypted file $ gpg -es TESTFILE2 ... ... $ echo "APPENDED" >> TESTFILE2.gpg $ gpg --decrypt TESTFILE2.gpg ... ... gpg: encrypted with 1024-bit ELG-E key, ID A873F010, created 2001-10-18 "Richard Henning <henninrpat_private>" this is a pgp encrypted file gpg: Signature made Fri Jun 7 12:32:16 2002 EDT using DSA key ID 8B036609 gpg: Good signature from "Richard Henning <henninrpat_private>" gpg: WARNING: encrypted message has been manipulated! -- [ rich henning ] /"\ [ henninrpat_private ] \ / X support the ascii ribbon campaign against html e-mail / \ pgp: http://diss0nance.lawngnome.org/pgp_public.txt
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 14:31:31 PDT