Yes, the behavior you are seeing with gpg is exactly the behavior I would expect with PGP. In my opinion, PGP should warn and error out when decrypting an encrypted and signed file that has data appended to it. It should not simply take the appended data and overwrite the output of the encrypted/signed message when in batch mode. Does anyone think I should raise this a level and contact NAI/McAfee? Anyone know of a contact point? Problems I see trying to get a fix are: 6.5.8 is out of date, the version I have is non-commercial, I'm not a paying customer. I'd switch to something else, but gpg et al are not options, we get files from commercial entities who use the commercial version of pgp. We must be able to exchange keys, decrypt and verify the latest PGP formats, not the 2.x format. We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version? Andrew McAllister University of Missouri > -----Original Message----- > From: Rich Henning [mailto:vulnerableat_private] snip > I was unable to reproduce this behavior using GPGv1.0.6 on > linux-2.4.18 x86 > in fact, i was even warned that the encrypted message was modified: snip > gpg: WARNING: encrypted message has been manipulated! snip
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 15:22:58 PDT