RE: PGP spoof decrypted output?

From: Lincoln Yeoh (lyeohat_private)
Date: Fri Jun 07 2002 - 19:51:42 PDT

  • Next message: Frog Man: "Security holes in LokwaBB and W-Agora"

    I think it is a genuine problem - a nasty one too.
    
    You could try contacting NAI, but they seemed to have semi-imploded 
    recently so may not be as helpful. See http://www.pgp.com/
    
    Try contacting the sales and ask for a tech - that works sometimes :).
    
    The 6.5.8 source seems to be still around - 
    http://www.pgpi.org/cgi/download.cgi?filename=pgpsrc658win32.zip
    
    Any idea where to start the fix?
    
    BTW: Isn't GPG compatible with the commercial PGPs used by your 
    corresponding commercial entities?
    
    Cheerio,
    Link.
    
    At 03:53 PM 6/7/02 -0500, McAllister, Andrew wrote:
    >Yes, the behavior you are seeing with gpg is exactly the behavior I would 
    >expect with PGP. In my opinion, PGP should warn and error out when 
    >decrypting an encrypted and signed file that has data appended to it. It 
    >should not simply take the appended data and overwrite the output of the 
    >encrypted/signed message when in batch mode.
    >
    >Does anyone think I should raise this a level and contact NAI/McAfee? 
    >Anyone know of a contact point? Problems I see trying to get a fix are: 
    >6.5.8 is out of date, the version I have is non-commercial, I'm not a 
    >paying customer.
    >
    >I'd switch to something else, but gpg et al are not options, we get files 
    >from commercial entities who use the commercial version of pgp. We must be 
    >able to exchange keys, decrypt and verify the latest PGP formats, not the 
    >2.x format.
    >
    >We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version?
    >
    >Andrew McAllister
    >University of Missouri
    >
    > > -----Original Message-----
    > > From: Rich Henning [mailto:vulnerableat_private]
    >snip
    > > I was unable to reproduce this behavior using GPGv1.0.6 on
    > > linux-2.4.18 x86
    > > in fact, i was even warned that the encrypted message was modified:
    >snip
    > >       gpg: WARNING: encrypted message has been manipulated!
    >snip
    



    This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 19:58:23 PDT