Ian Grigg <iang@systemics.com> writes:
[Gary Howland gives talk at HIP on technical PGP flaws, 0xDEADBEEF etc]
And for the record, whilst Gary's attack to change conventionally encrypted files without detection was unknown to the PGP team at the moment, we can be sure that it will be addressed.
It's not just unconventionally encrypted files - any encrypted file that is unsigned can be modified without detection. I brought this to everyones attention because far too many people assume that encryption provides integrity.
Hmm. Change pgp -c files you say. Lets see... do you mean this:
% echo hello world > junk % pgp -c +compress=off -zfred junk % sed 's/....$/adam/' < junk.pgp > junk2.pgp % pgp -zfred junk2.pgp % cat junk2 hello woøP?t
That much is obvious.
(pgp doesn't complain or even notice the above btw ... there is no checksum and so you can just garble the file, if you so wish, and pgp won't complain).
Yes, this is part of the point I was making.
Or did Gary find a way to undetectably modify ciphertext without turning off compression?
Of course it is easier to modify uncompressed files, but even compressed files can be tampered with - it's just an awful lot harder.
Could you or he elaborate on your attack?
In addition to turning files to garbage, I was pointing out that files can be truncated. This could be very serious, if, say, you removed the second of a pair of financial transactions, or perhaps removed the last line of a security program, eg. if the last line of a script is "chmod -w filename" and you can remove this line, then you may be in trouble. As well as trashing files, and truncating them, it is also important to remember that the last 8 bytes can be modified without detection if the plaintext is known. This could be very serious. Think of the damage that could be done in 8 bytes ( "rm -rf /"). I agree that these attacks are very unlikely to occur, but I just wanted to bring it to everyone's attention.
If you're using PGP with compress=on, then I suspect your chances of undetectably modifying the ciphertext and still coming up with something which is a valid compressed packet is fairly low. I wonder how low.
If the plaintext is known, I could come up with a change to the last 8 bytes that would be valid (well, perhaps not - I don't know ZIP compression too well). Gary