On Fri, Jun 07, 2002 at 08:56:30AM -0500, McAllister, Andrew wrote:
> What result would you expect? The data I encrypted or the data the hacker appended? The answer: No warnings, no errors, just the data that the hacker APPENDED to my PGP encrypted file. Not the original signed and encrypted file itself. This seems like a bug to me, no?
> I've found that if you ASCII armor the file, the result is as expected after decryption. You get only the originally encrypted file. I have not tested gpg or pgpi or older versions, just the NAI PGP available from the MIT download site. Anyone care to test the other implementations?
I was unable to reproduce this behavior using GPGv1.0.6 on linux-2.4.18 x86
in fact, i was even warned that the encrypted message was modified:
$ cat TESTFILE2
this is a pgp encrypted file
$ gpg -es TESTFILE2
...
...
$ echo "APPENDED" >> TESTFILE2.gpg
$ gpg --decrypt TESTFILE2.gpg
...
...
gpg: encrypted with 1024-bit ELG-E key, ID A873F010, created 2001-10-18
"Richard Henning <henninrpat_private>"
this is a pgp encrypted file
gpg: Signature made Fri Jun 7 12:32:16 2002 EDT using DSA key ID
8B036609
gpg: Good signature from "Richard Henning <henninrpat_private>"
gpg: WARNING: encrypted message has been manipulated!
--
[ rich henning ] /"\
[ henninrpat_private ] \ /
X
support the ascii ribbon campaign against html e-mail / \
pgp: http://diss0nance.lawngnome.org/pgp_public.txt
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 14:31:31 PDT