Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase

David Shaw dshaw at jabberwocky.com
Thu Sep 18 21:42:09 CEST 2008


On Thu, Sep 18, 2008 at 11:01:00AM -0700, rlively wrote:

> contact with legacy v3 key wrote:
> > Won't be a problem... we use McAfee e-Business Server v7.5 on our OS/390
> > mainframe as well as McAfee e-Business v8.x on Windows as well as GnuPG
> > (gpg) with IDEA support DLL.  I was able to decrypt your message
> > (encrypted with our legacy IDEA key).
> 
> So it seems to work, but I do have this concern: is it possible that since
> they tested it on Windows with GnuPG and not on their e-Business server on
> the mainframe and that the real file will fail when their mainframe attempts
> to decrypt it?  I sent this reply to get that extra test done:
> 
> 
> rlively wrote:
> > Is it possible to transfer the file to your mainframe to see if e-Business
> > server can decrypt it as well?  We do not have the IDEA support DLL, which
> > means that the message was encrypted using 3DES instead of IDEA, but
> > modern GnuPG and PGP installations are still perfectly capable of
> > decrypting that.  I do have concerns about the e-Business server
> > installation on the mainframe, though.
> 
> Is that correct?

It's the correct question to ask.  They should be fine, but the best
way to know that for sure is to do exactly the test you propose.

> When I view the encrypted file, it shows this:
> 
> public key encrypted packet: version 3, algo RSA, keyid <blahblah>
> encrypted data packet: mdc method 0, length 82.
> 
> What is mdc method 0?

It means "there is no MDC here".  An MDC is a Modification Detection
Code, which is one of the features of OpenPGP.  It protects against
certain forms of message tampering.  This key does not have the flag
that indicates MDC support, so GPG isn't turning the protection on.
The flag is part of OpenPGP, so that v3 key would naturally not have
it.

> My concern is partially due to this entry on 
> http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Network_Associates_acquisition
> Wikipedia , which seems to imply that the development for e-Business server
> stopped in 2001, which means that it may fall under the heading of "legacy
> PGP program" that is not OpenPGP conformant and therefore can't decrypt the
> OpenPGP traffic:

"Legacy" is just a human term.  The question you have is whether it
can decrypt 3DES traffic.  Run the test you suggest above, and then
you'll know for sure.  I expect it will work.

Given what software they are using, and given the usual relucatance to
rip out a working system, I can understand why your customer would not
want to change keys, but note that there are a few not-small security
benefits in upgrading.  First step is to get things working, though.
After that there is time to worry about future work.

David



More information about the Gnupg-users mailing list