ietf-openpgp
[Top] [All Lists]

message integrity checksum?

1998-01-06 12:17:59

Gary Howland discussed PGP vulnerabilities at HIP97 I think.  One of
the vulnerabilities was that encrypted (but not signed) messages could
be altered undetectably.

This can be demonstrated (with pgp2.6 command line):

% echo hello world > junk
% pgp -c +compress=off -zfred junk
% sed 's/....$/adam/' < junk.pgp > junk2.pgp
% pgp -zfred junk2.pgp
% cat junk2
hello wo<F8>P?t

(pgp doesn't complain or even notice the above ... there is no
checksum and so you can just garble the file, if you so wish, and pgp
won't complain).

Was this viewed as a problem?

I think the example given is that someone might use this (symmetric
encryption) to send commands to a remote command executer which would
be trusted because it was encrypted with a shared passphrase.  This
shows that the last command say could be garbled, resulting in a null
operation and potential security problem.

The same problem applies to RSA (or Elgamal), encrypted messages, as
the bulk of the data is encrypted with a block cipher essentially the
same as the symmetric cipher only.

Clearly one way to fix it is to use signatures.

Was there any thought given to using a MAC, checksum, or message
digest added to the message to prevent modification without knowing
the key?

Adam

<Prev in Thread] Current Thread [Next in Thread>