Recipient inconstistence: flaw in OpenPGP

Disastry at Disastry at
Fri Aug 17 10:06:01 CEST 2001

Hash: RIPEMD160

On Tue Aug 14 11:08:02 2001 Werner Koch wrote:
> > What about encrypting to the recipients present but reporting the
> > missing key in the status output?
> That is how it should work (modulo status output) but I am not anymore
> sure whether this is a good idea:  If you want to send to Alice and
> Bob but due to a missing key you did not encrypt it for Bob, you will
> later have to resend the message to bob.  After receiving the first
> message, Alice must assume the message was only intended for her and
> act accordingly
> -- 
> Werner Koch

there is no way for recipient to be sure that the same message
was sent/encrypted to other recipients or not anyway.
PKE packets can be removed from encrypted message and
new (fake) ones can be added by MITM (Man In The Middle).

for example, you send message to Alice, this message is intercepted and
MITM adds fake PKE packet with Bobs key-id (of course this will not allow
Bob to decrypt the message), now when Alice receives message it looks like
it was encrypted to her and to Bob!
Alice writes replay to message, quotes a lot of your message (or whole message),
and encrypts and sends it back to you and Bob,
but you did not wanted Bob to see this message.

I think this in flaw in OpenPGP.
I could be solved by adding some special Recipients packet
into encrypted message part.

== <EOF> ==
Disastry <----PGP plugins for Netscape and MDaemon
 ^--GPG for Win32 (supports loadable modules and IDEA)
 ^---PGP 2.6.3ia-multi04 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
     AES, 3DES ciphers and MD5, SHA1, RIPEMD160 hashes)
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1


More information about the Gnupg-devel mailing list