small security glitches

Post Carter post.carter at
Wed Feb 29 16:33:43 CET 2012

I too had seen and been perturbed by this unexplained statement on
"There is a small security glitch in the OpenPGP (and therefore GnuPG) system; to avoid this you should always sign and encrypt a message instead of only encrypting it."
I use PGP for local file encryption and was concerned this applied to that as well, but I now think it seems to only apply to *messages*.  I would appreciate anyone else's analysis of that.
I believe I have found the actual information behind the "glitch," and it *absolutely* has to do with encryption/security and not just integrity/trust.
Tom McCune's summary from link above:
Chosen-Ciphertext Attack?
The report Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG discusses a potential PGP vulnerability.  This is my understanding of the attack: 
An individual intercepts an encrypted email.  He places a plaintext addition within the package, in such a manner that when the originally intended recipient decrypts the message, the symmetric session key also "decrypts" the addition.  But since the plaintext addition was not encrypted (but probably looked encrypted), it is now encrypted to the symmetric session key.  If the originally intended recipient then sends this "gibberish" back to the original sender (to inquire about it), the interceptor again intercepts this, and now has both his original plaintext addition, and the symmetric session key encryption of that plaintext.  From this, he is able to reverse the XOR processing of the original encryption to produce the plaintext of the originally intercepted encrypted message. 
Although the Open PGP standard needed to be updated to prevent such an attack, this attack was unlikely to actually succeed against a PGP user – PGP compresses before encrypting, in such a manner that this alteration would normally result in a corrupt package. 
If the original encrypted message was signed, this alteration will result in the intended recipient receiving a Bad signature verification. 
The attack would fail under any of the following conditions:
- The recipient takes no action in regards to the received “gibberish.”
- The recipient does not include the “gibberish” in any outgoing response.
- The recipient encrypts his outgoing response to the original sender (as long as the recipient is not fooled into encrypting the "gibberish" to the interceptor's key).
- The interceptor fails to intercept the plaintext response to the original sender. 

PGP Corp states that as of PGP 8.0.2 "special MDC support" includes additional protection against this kind of attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120229/d40cfa64/attachment-0001.htm>

More information about the Gnupg-users mailing list