Page MenuHome GnuPG
Create Task
Maniphest T4247

GPG4WIN / Kleopatra (3.1.4) Encrypt file / Decryption fails on Network Associates PGP 6.5.8
Closed, InvalidPublic
Actions

Description

We have been using Network Associates PGP 6.5.8 for 10+ years (mainly to just decrypt files that we get from our customers). We recently had a customer that everything was working just fine until a new person took over the position that sends us files. It was reported to me that they use GPG4WIN / Kleopatra but I could not get them to tell me version. I started testing by downloading the latest (3.1.4) and was able to duplicate the problem - when I encrypt a file on GPG4WIN / Kleopatra and then attempt to decrypt on Network Associates PGP 6.5.8 I get the following error: An error has occurred - encrypted session key is bad.

I read online to set the following:
Click on Settings -> Configure Kleopatra (screen pics below)
OpenPGP -> “compliance” set to pgp6
S/MIME -> Use Cipher Algorithm set to 3DES

Still had no success, so I figured since they were positive it worked in the past I would download an older version (3.0.1). As soon and it was installed, I encrypted a file and then I was able to decrypt it just fine using Network Associates PGP 6.5.8
I was able to verify the setting above were still set.

I was asked to "upgrade" the 3.0.1 to 3.1.4 (by Admin) and once installed it still fails (meaning I can encrypt but the decrypt on Network Associates PGP 6.5.8 still gives the same error (An error has occurred - encrypted session key is bad).

I am not sure if this is a bug or if there is a setting I am missing.

I also know there are 5-6 version between 3.0.1 and 3.1.4, so I am not sure where it started having the problem.

Any help would be greatly appreciated.

Details

Version
Version 3.1.4 (and tested on Version 3.0.1)

Event Timeline

jsbooker created this task.Nov 8 2018, 3:55 PM
aheinecke changed the task status from Open to Testing.Nov 9 2018, 7:46 AM
aheinecke edited projects, added Not A Bug, gpg4win; removed Bug Report.
aheinecke added a subscriber: aheinecke.

First let me say that it is never a good Idea to use outdated / unmaintained security software. PGP Messages are external input and you pass that to unmaintained software.

It also sounds like we are now triggering a bug in Network Associates PGP. What recently changed is that with GnuPG 2.2.8 we are always using integrity protection (MDC) due to EFail manipulations of encrypted messages and because that has been part of the Standard for about 15 Years,...

I really would suggest that you use an alternative (like Gpg4win? ) to decrypt that is security maintained. But here is how you should be able to revert to the old behavior. Compliance is the wrong setting. What you need is a combination of "rfc2440" (which is the old, long since superseeded rfc) together with --disable-mdc

Try it on the command line:

echo test | gpg --rfc2440 --disable-mdc --armor --encrypt -r "your recipient keyid or email"

You can put "disable-mdc" and "rfc2440" in %APPDATA%\gnupg\gpg.conf so that they are always used, even from Kleopatra.

But it is really really a bad idea. On the command line you will get:

gpg: WARNING: encrypting without integrity protection is dangerous
gpg: Hint: Do not use option --rfc2440
aheinecke closed this task as Invalid.Nov 20 2018, 8:06 AM

I'm closing this issues as "Invalid" because it is not an issue of Gpg4win. You can still comment and discuss here.