pgp -c undetectable change to ciphertext? (was Re: Hipped on PGP)

Adam Back aba at
Sat Aug 9 11:49:33 PDT 1997

Ian Grigg <iang at> writes:
> [Gary Howland gives talk at HIP on technical PGP flaws, 0xDEADBEEF etc]
> And for the record, whilst Gary's attack to change conventionally
> encrypted files without detection was unknown to the PGP team at the
> moment, we can be sure that it will be addressed.

Hmm.  Change pgp -c files you say.  Lets see... do you mean this:

% echo hello world > junk
% pgp -c +compress=off -zfred junk
% sed 's/....$/adam/' < junk.pgp > junk2.pgp
% pgp -zfred junk2.pgp
% cat junk2
hello woøP?t

That much is obvious.

(pgp doesn't complain or even notice the above btw ... there is no
checksum and so you can just garble the file, if you so wish, and pgp
won't complain).

Or did Gary find a way to undetectably modify ciphertext without
turning off compression?

Could you or he elaborate on your attack?  

Eternity server code is using pgp -c (but with compression on), and
some remailer reply blocks (presumably with compression on), so it
could be relevant if you've come up with an attack which works with

If you're using PGP with compress=on, then I suspect your chances of
undetectably modifying the ciphertext and still coming up with
something which is a valid compressed packet is fairly low.  I wonder
how low.  

Probably not low enough cryptographically, if you were using this in a
automated environment, where people could hit a server with garbled
packets repeatedly until one happened to decompress, and pass the
compression codes internal checksum.

Have *you* exported RSA today? -->

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>

More information about the cypherpunks-legacy mailing list