Why sign as well as encrypt files stored on untrusted drives?

David Shaw dshaw at jabberwocky.com
Wed Jul 13 15:48:50 CEST 2011


On Jul 13, 2011, at 7:28 AM, Chris Poole wrote:

> Hi
> 
> Say I encrypt a file to myself using my public key, and only I will
> ever need or want to access the plaintext. The file will be stored on
> an untrusted drive somewhere. I don't care about authenticity, in the
> sense that I'll never need to prove to someone else that it was
> actually I that sent that file. All I care is that I can get the
> plaintext, and no-one else can.
> 
> I've read that it's a good idea to sign this file too, but I'm not sure why.
> 
> Surely if the file is changed then I've lost that data anyway, and the
> file will fail to decrypt.
> 
> 
> Is there some feasible attack that could change the encrypted data in
> such a way that I won't notice it when I decrypt the file, but somehow
> the file will still decrypt?

Yes.  This was an concern in early PGP that was addressed in OpenPGP.  Given the sort of encryption used (CFB), it was possible to chop/mangle the end of an encrypted blob and still have it decrypt properly.  A contrived example would be "Hey, give $1,000,000 to Fred.  Just kidding!".  Fred could then arrange to mangle the end.  (It's not that simple, as there are other issues involved, and Fred has to get access to the file anyway, etc, etc, but you get the idea).

Signing does eliminate this possible problem, yes, which is possibly why you saw that advice out there (though you have to remember to check the signature).  However, OpenPGP has a built-in protection for this sort of thing: the MDC.  This is a hash of the message contents, included in the encrypted message, that protects against message tampering like this.  When decrypting, you would see something like "WARNING: encrypted message has been manipulated!" if the MDC turned out bad.  The MDC has been on by default for many years now, so it is likely you have it enabled for your key, unless it is very old.  To check, run:

  gpg --edit-key (yourkey) showpref

Look in the "Features" line for "MDC".

So short answer is that you most likely don't need to sign your files just to avoid tampering - there was a reason for signing at one point, but it's no longer there.

Back to your original issue though, note that if Fred can get access to your (untrusted) drive, he can just replace the whole file with whatever he likes (since he just needs your public key to encrypt a new file), with no fussy message tampering needed.  That may or may not be an issue in your situation.  Signing does help there since Fred presumably doesn't have access to your secret key.

David




More information about the Gnupg-users mailing list