[Top] [All Lists]

Re: message integrity checksum?

1998-01-06 14:34:12

Gary Howland discussed PGP vulnerabilities at HIP97 I think.  One of
the vulnerabilities was that encrypted (but not signed) messages could
be altered undetectably.

This can be demonstrated (with pgp2.6 command line):

% echo hello world > junk
% pgp -c +compress=off -zfred junk
% sed 's/....$/adam/' < junk.pgp > junk2.pgp
% pgp -zfred junk2.pgp
% cat junk2
hello wo<F8>P?t

(pgp doesn't complain or even notice the above ... there is no
checksum and so you can just garble the file, if you so wish, and pgp
won't complain).

Was this viewed as a problem?

I think the example given is that someone might use this (symmetric
encryption) to send commands to a remote command executer which would
be trusted because it was encrypted with a shared passphrase.  This
shows that the last command say could be garbled, resulting in a null
operation and potential security problem.

With known plaintext, the last 8 bytes can be set to anything the attacker 
desires - so it's not just a case of removing or randomly corrupting data.

You can find the paper for the talk at:


<Prev in Thread] Current Thread [Next in Thread>