Page MenuHome GnuPG
Create Task
Maniphest T149

Integrity check error message for gpg -c
Closed, ResolvedPublic
Actions

Description

Release: gpg (GnuPG) 1.2.1

Environment

Red Hat Linux 9.0

Description

Decrypting a file that's been encrypted with "gpg -c" (symmetric encryption with a passphrase) prints a warning message after decrypting: "gpg: WARNING: message was not integrity protected".

Properly designed symmetric encryption should always include a MAC keyed on the encryption passphrase, appended to the ciphertext. That serves as an integrity check in that it shows that whoever encrypted the file had the secret key.

There's two possibilities:

  1. gpg -c includes a MAC and therefore this warning message is spurious; the fix is to remove it.
  2. gpg -c doesn't include a MAC and therefore isn't well designed. Some kind of extension should be developed that adds a MAC that does NOT depend on a stored private key on a key ring. Preferably, the extension can be designed so that ciphertexts with the MAC will still decrypt with old versions of gpg, even if the old versions don't check the MAC. That would allow the extension to be enabled by default in new versions. However, that may not be possible.

    Either way, some type of fix is adviseable.

Fix

Unknown

Event Timeline

gpg added projects: gnupg, Bug Report.Apr 30 2003, 9:53 AM
dshaw added a subscriber: dshaw.Apr 30 2003, 5:26 PM

I've got this one.

dshaw added a comment.Apr 30 2003, 5:26 PM

This is not a bug. There is a MDC solution (basically a
SHA1 digest of the symmetrically encrypted message) that is
defined as part of the OpenPGP standard. However, for
backwards compatibility reasons, it is not on by default.
If you use "gpg --force-mdc -c" when encrypting, the hash is
included and the warning message will go away.

Note, however, that some versions of PGP (anything before
7), and GnuPG (anything before 1.0.2) will not be able to
handle the message.

dshaw claimed this task.Apr 30 2003, 5:26 PM
dshaw added a project: Restricted Project.
dshaw added a subscriber: werner.
dshaw closed this task as Resolved.Jun 19 2003, 4:55 PM
dshaw removed a project: Restricted Project.

Closing.