Can you unlock sent messages ?? Somehow ??

vedaal@hush.com vedaal@hush.com
Mon Jul 21 17:58:25 2003 

>Message: 2
>To: gnupg-users@lists.gnupg.org
>From: Ivan Boldyrev <boldyrev+nospam@cgitftp.uiggm.nsc.ru>
>Subject: Re: Can you unlock sent messages ?? Somehow ??
>Date: Sat, 19 Jul 2003 02:31:24 +0700

[...]

>On 8443 day of my life David Shaw wrote:
>> On Fri, Jul 18, 2003 at 12:23:18PM +0700, Ivan Boldyrev wrote:
>>
>>> Can I manipulate PGP packets after encryption and create such
>message,
>>> that if one recipient decrypts it, he sees "Happy birthday",
>and if
>>> second recipient decrypts it, he sees "Private message"?  So,
> user
>>> will be able to hide information from corporation anyway :)
>>
>> Not without also modifying the program that processes the message,

>>
>> which would defeat the purpose.
>
>Do you mean decryptor or encryptor?  Can I just postprocess encrypted
>data replacing some packets (assuming I have own private key and
>string "Private message" is fixed)?

maybe a question at the cryptographic level ;-)

ordinarily, we assume that there is one session key for the symmetrically
encrypted packet, simply because that is the most secure and straightforward
way to do the encryption

the question here is, 
what if someone intentionally wanted a symmetrically encrypted (larger,
 single) packet that would partially decrypt differently with 'different'
session keys,
i.e. one message and a null string with one session key, and a null string
and second message with the second session key

is it really 'impossible' to construct?

if it is done after the fact, it would need the crc mdc to be taken into
account,

but if it can be done altogether, it would then not be difficult to modify
the user's individual copy of gnupg to construct such messages, while
still leaving the company/third party under the illusion that they have
the 'correct' message

{in any event, even if it 'could' be done, it would intuitively seem
to be 'detectable', as the symmetrically encrypted packet would be inappropriately
large)

interesting though,  ;-)

vedaal



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427