pgp -c undetectable change to ciphertext? (was Re: Hipped on PGP) [SYSTEMICS]

Gary Howland gary at
Sun Aug 10 05:21:54 PDT 1997

> Ian Grigg <iang at> writes:
> > [Gary Howland gives talk at HIP on technical PGP flaws, 0xDEADBEEF etc]
> >
> > And for the record, whilst Gary's attack to change conventionally
> > encrypted files without detection was unknown to the PGP team at the
> > moment, we can be sure that it will be addressed.

It's not just unconventionally encrypted files - any encrypted file
that is unsigned can be modified without detection.  I brought this
to everyones attention because far too many people assume that encryption
provides integrity.

> Hmm.  Change pgp -c files you say.  Lets see... do you mean this:
> % echo hello world > junk
> % pgp -c +compress=off -zfred junk
> % sed 's/....$/adam/' < junk.pgp > junk2.pgp
> % pgp -zfred junk2.pgp
> % cat junk2
> hello woøP?t
> That much is obvious.
> (pgp doesn't complain or even notice the above btw ... there is no
> checksum and so you can just garble the file, if you so wish, and pgp
> won't complain).

Yes, this is part of the point I was making.

> Or did Gary find a way to undetectably modify ciphertext without
> turning off compression?

Of course it is easier to modify uncompressed files, but even compressed
files can be tampered with - it's just an awful lot harder.

> Could you or he elaborate on your attack?  

In addition to turning files to garbage, I was pointing out that files can
be truncated.  This could be very serious, if, say, you removed the second
of a pair of financial transactions, or perhaps removed the last line of
a security program, eg. if the last line of a script is "chmod -w filename"
and you can remove this line, then you may be in trouble.

As well as trashing files, and truncating them, it is also important
to remember that the last 8 bytes can be modified without detection
if the plaintext is known.  This could be very serious.  Think of
the damage that could be done in 8 bytes ( "rm -rf /").

I agree that these attacks are very unlikely to occur, but I just wanted
to bring it to everyone's attention.


> If you're using PGP with compress=on, then I suspect your chances of
> undetectably modifying the ciphertext and still coming up with
> something which is a valid compressed packet is fairly low.  I wonder
> how low.  

If the plaintext is known, I could come up with a change to the last 8 bytes
that would be valid (well, perhaps not - I don't know ZIP compression
too well).


More information about the cypherpunks-legacy mailing list