gpg is safe?

Guo Dong greetreeuuvn at yahoo.com
Sun Nov 11 04:07:18 CET 2012


Hello everyone:
     I am the user of gpg software.but when i use this software, i found some question,let me think this software is not enough safe like it says.The question i meets is inthe attach,I hope anybody can check it,and give me some advise,thank you!

                                                                                                                                                                          Henry Kuo
                                                                                                                                              

GPG 加解密出现的问题
源信息 test.sh
#!/bin/bash
cd
rm -f gibmenanim*.*
rm -f gibvideo*.*
rm -f genmenu*.*
rm -f dvdauthor.xml
rm -f *.sh
rm -f normal.jpg
rm -f cliquee.png
rm -f survolee.png
rm -f silent.*
rm -f gibintromenu.mpg
rm -f nettoyageglobal.sh
1.用 GPG 对其进行签名加密,并输出为 ASCII 文件,加密后的文件
接受人为 GuoChengLei:
henry at henry-GA-MA785GT-UD3H:~/?/GPG$ gpg -se -a -r GuoChengLei test.sh
您需要输入密码,才能解开这个用户的私钥:“Henry Kuo (This is henry kuo,from midsoft
Ltd.) <greetreeuuvn at yahoo.com>”
2048 位的 RSA 密钥,钥匙号 8823DDE2,建立于 2012-11-10
2.加密操作成功,生成 test.sh.asc 文件:
----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQEMA4bb8dzHYUT1AQgAgK/ldf5kFyU+v1K7lCc59yT8S7/PqFR5JGCiLhIWju
AF
ZD7+1QDEamYBmUigGvzRHgW7yn26qkgh3eT8RZ8Bhih55CSj20fLhGIS8Sv4
S6b0
daur5U4Ng5EC/7syG1QX3NqP/HH8ov2fufZaA6u8QGv29HjBAWwexA198OvR
4RrW
M7o3DRSqKXqRt9npVldC6BG7jmH6476EVUfanWuGP44PHowl3FJXH9IrQiOk
NS5V
hLOXfX4NCQNaK8W+nmviVybYoR6taLoExnxEfsPwHo0R2mwZTzycUIYQl9x/
Ol5v
Fu+6Mv4FhNg26znao3WGkWhVmq/Ay1cCoizXgRfiP9LpAUf2HgdXVLvl9YNZ
Urap
dICG7vQmLHgPaXLeYSMYHtTjVA5WpB+WVU2ni2YUoPJMqB/NSIqO+T1Pfb
AClGxu
/
4rygue8cjJ9stdeTEnZbdRL7n6D6bL4CZ1glhQK1eGazvrEvROugsZ0mP8Z7fWb
DG6Xt1YOPTOgSmm6hCDxBGYCva+BBh/7HU5JUSSnMlIwjpTcD+bgHzdQzu
Q6Dej3
mrcWnDsp4z2Xj1eeq2MyX3VQ6n8FmrwBS1Is7CJntRFdnjm1zNrmzx5R/asQ/k
Yg
FybY6UbanEOwuRASP/rPttOtLEvoV6Ishy9ujHHwKm34I64JIK9lnZ5g3hl0CEv
U
nStaZBJeAm0CF9DLhNwPikPKanpIfptrp6IN5ZPLmqyflg6yERLdztiL0q03fn8U
u5fnrRrju1uEyMjGLGeKTA3+R1afPEwr1ue14LnYKHhTT6Qgy5wyaYTWSpvPn
PIq
r8JOvQssCI978l4kMRL/ODXLUms7OvpzGa6saifw6NPs+/wzwImN8GUt+x2Ru
H/b
FKm2lVZS9CekNvL6ilIgJWie9KS7VXnuPZJBreEebLrXZQfyl59PpnJS1YtlewcJ
GfMibc7D2J6Bdn1WT89j+v/2tZNKPmshlpt9FSlY+QMbWoqt6T4rGfZHZ5mAA
Oq6
T6noOKEyPebi41EHGJuNUXUBrQ==
=a3oA
-----END PGP MESSAGE-----
3.解密验证文件没有问题
/GPG$ gpg -u GuoChengLei -d test.sh.asc
您需要输入密码,才能解开这个用户的私钥:“GuoChengLei (GuoChengLei
guochenglei at gmail.com) <guochenglei at gmail.com>”
2048 位的 RSA 密钥,钥匙号 C76144F5,建立于 2012-11-11 (主钥匙号 87E99942)
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 C76144F5、生成于 2012-11-11
“GuoChengLei (GuoChengLei guochenglei at gmail.com)
<guochenglei at gmail.com>”
#!/bin/bash
cd
rm -f gibmenanim*.*
rm -f gibvideo*.*
rm -f genmenu*.*
rm -f dvdauthor.xml
rm -f *.sh
rm -f normal.jpg
rm -f cliquee.png
rm -f survolee.png
rm -f silent.*
rm -f gibintromenu.mpg
rm -f nettoyageglobal.sh
gpg: 于 2012 年 11 月 11 日 星期日 10 时 15 分 01 秒 CST 创建的签名,使用 RSA,钥匙号
8823DDE2
gpg: 完好的签名,来自于“Henry Kuo (This is henry kuo,from midsoft Ltd.)
<greetreeuuvn at yahoo.com>”
4.现在将生成的文件 test.sh.asc 改动一下,在倒数第二行添加一个
字符:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQEMA4bb8dzHYUT1AQgAgK/ldf5kFyU+v1K7lCc59yT8S7/PqFR5JGCiLhIWju
AF
ZD7+1QDEamYBmUigGvzRHgW7yn26qkgh3eT8RZ8Bhih55CSj20fLhGIS8Sv4
S6b0
daur5U4Ng5EC/7syG1QX3NqP/HH8ov2fufZaA6u8QGv29HjBAWwexA198OvR
4RrW
M7o3DRSqKXqRt9npVldC6BG7jmH6476EVUfanWuGP44PHowl3FJXH9IrQiOk
NS5V
hLOXfX4NCQNaK8W+nmviVybYoR6taLoExnxEfsPwHo0R2mwZTzycUIYQl9x/
Ol5v
Fu+6Mv4FhNg26znao3WGkWhVmq/Ay1cCoizXgRfiP9LpAUf2HgdXVLvl9YNZ
Urap
dICG7vQmLHgPaXLeYSMYHtTjVA5WpB+WVU2ni2YUoPJMqB/NSIqO+T1Pfb
AClGxu
/
4rygue8cjJ9stdeTEnZbdRL7n6D6bL4CZ1glhQK1eGazvrEvROugsZ0mP8Z7fWb
DG6Xt1YOPTOgSmm6hCDxBGYCva+BBh/7HU5JUSSnMlIwjpTcD+bgHzdQzu
Q6Dej3
mrcWnDsp4z2Xj1eeq2MyX3VQ6n8FmrwBS1Is7CJntRFdnjm1zNrmzx5R/asQ/k
Yg
FybY6UbanEOwuRASP/rPttOtLEvoV6Ishy9ujHHwKm34I64JIK9lnZ5g3hl0CEv
U
nStaZBJeAm0CF9DLhNwPikPKanpIfptrp6IN5ZPLmqyflg6yERLdztiL0q03fn8U
u5fnrRrju1uEyMjGLGeKTA3+R1afPEwr1ue14LnYKHhTT6Qgy5wyaYTWSpvPn
PIq
r8JOvQssCI978l4kMRL/ODXLUms7OvpzGa6saifw6NPs+/wzwImN8GUt+x2Ru
H/b
FKm2lVZS9CekNvL6ilIgJWie9KS7VXnuPZJBreEebLrXZQfyl59PpnJS1YtlewcJ
GfMibc7D2J6Bdn1WT89j+v/2tZNKPmshlpt9FSlY+QMbWoqt6T4rGfZHZ5mAA
Oq6
T6noOKEyPebi41EHGJuNUXUBrQ==
=a3oA2
-----END PGP MESSAGE-----
5.问题就处在这里,改动过的文件仍能被正确解密:
/GPG$ gpg -d test.sh.asc
您需要输入密码,才能解开这个用户的私钥:“GuoChengLei
(GuoChengLei guochenglei at gmail.com)
<guochenglei at gmail.com>”
2048 位的 RSA 密钥,钥匙号 C76144F5,建立于 2012-11-11
(主钥匙号 87E99942)
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 C76144F5、生成
于 2012-11-11
“GuoChengLei (GuoChengLei guochenglei at gmail.com)
<guochenglei at gmail.com>”
#!/bin/bash
cd
rm -f gibmenanim*.*
rm -f gibvideo*.*
rm -f genmenu*.*
rm -f dvdauthor.xml
rm -f *.sh
rm -f normal.jpg
rm -f cliquee.png
rm -f survolee.png
rm -f silent.*
rm -f gibintromenu.mpg
rm -f nettoyageglobal.sh
gpg: 于 2012 年 11 月 11 日 星期日 10 时 15 分 01 秒 CST 创建
的签名,使用 RSA,钥匙号 8823DDE2
gpg: 完好的签名,来自于“Henry Kuo (This is henry kuo,from
midsoft Ltd.) <greetreeuuvn at yahoo.com>”
结论:
我认为这就不能证明信息是由它所声明的发送方直接发送,存
在中途被截获更改的可能。虽然我这里并没有对加密后信息类容进行
有目的更改,只是在原本加密信息后多加了一个字符,但对其所声明
的“只要这个信息改动了一个字,’签名‘验证就会失败”,产生怀疑。我用的是 GnuPG
V1.4.11,并没有很系统的学习过密码技术,只是在使用中突然发现
了这一问题,不知是否是其所声明的错误宽容(FAULT
TOLREANT)技术所致。
Henry Kuo
guochenglei at gmail.com
2012-11-11
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121110/b65e8bd4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A question about gpg encrypt.pdf
Type: application/pdf
Size: 61883 bytes
Desc: not available
URL: </pipermail/attachments/20121110/b65e8bd4/attachment-0001.pdf>


More information about the Gnupg-users mailing list