Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

PGP Desktop 10.2 breaks block decryption functionality

Created: 12 Aug 2011 | 5 comments
Mark Berry's picture

Not sure how to submit a bug report so putting this here.

I encrypt lots of text blocks using PGP. Often a window will contain unecrypted data followed by a block of PGP data. For example, my bank info may contain the routing number (public info) followed by my account number (which I encrypt):

Routing number: 1223456789

-----BEGIN PGP MESSAGE-----
Version: PGP Personal Privacy 6.5.3

qANQR1DBwE4DbOAOgMkAUy4QBAC2wkrDPYwkubauRqBNfT6pZiYx3oZLCNA6jDG5
GffDfnl7lsQTd2qRTBwinQIZIm963q6hmHrBYitznz238VEQWx98qsL5XX9iSGgO
...
EvSfDRB8Tw9vW9DgB/8xxIxpv40q7L2QjVY0GADB3ezYvkDnnkAeNR/i0PK9Ea8M
rCaLAp+CnU1IRtD9OhobS/YELt7tF8BzrBRXzACxjhZaoR+fgImzdvXbOA==
=m8b6
-----END PGP MESSAGE-----

Prior to 10.2 (with 10.1.2), when I chose Current Window > Decrypt and Verify, PGP correctly pops up the entire block of text, with the unencrytped data followed by the decrypted data. So I get the routing number and the account number in a nice continuous block:

Routing number: 1223456789

Account number:  12345-67890

After upgrading to 10.2.0, when I try to decrypt that same block, I get the message, "An error has occurred. Modified data detected in integrity-protected encrypted data." If I want to decrypt, I have to manually select ONLY the PGP MESSAGE block, copy it to the clipboard, then decrypt it.

I have downgraded to 10.1.2 and I am again able to decrypt blocks of text that include PGP MESSAGEs.

Mark Berry
 

Comments 5 CommentsJump to latest comment

Eboreg's picture

I've found this same issue.  Formerly it was possible to use the "Current Window" function with my preferred webmail account, but no more.  The non-PGP text in the window now produces the error you describe.  This is not a small thing (IMHO).

dfinkelstein's picture

This was an intentional change made to the product.  The problem is, you have a mixture of PGP protected and non-protected data, and no good way for PGP to tell you that some of the data was secured and some wasn't.

See http://www.symantec.com/business/support/index?pag...

A paper describing the issue can be found here:

http://www.cs.ru.nl/E.Verheul/papers/Govcert/Prett... for details.

Regards,

--------

David Finkelstein

Symantec R&D

Mark Berry's picture

David,

I'm not sure this is the same thing? The article you reference says that the vulnerability was fixed as of 10.1.0 SP1. I was, and am again, using 10.1.2 and it works the way I need it to. Not until 10.2.0 does it fail to decrypt blocks of text that include unencrytped text. Also I am talking about a mixture of encrypted and unencrytped text, not signed and unsigned, or encrypted and encrypted and signed.

I can think of several ways for PGP to tell me that a some of the data was encrypted:

  1. The Text Viewer could have a message in the title bar, e.g. "Warning:  original data contained unencrypted text."
  2. The Text Viewer could present data with color-coded backgound indicated which data was encrypted, signed, both, or neither.
  3. (Least desirable) The text could be presented in blocks something like this:

Routing number: 1223456789

-----BEGIN PGP DECRYPTED MESSAGE-----
Account number:  12345-67890
-----END PGP DECRYPTED MESSAGE-----

In the meantime, I would suggest a more meaningful message. "Modified data detected in integrity-protected encrypted data" is confusing since I did not modify any data. (In fact, if "integrity-protected" is the same thing as "signed," why did I get this at all since the text is not signed?) Maybe "Text contains a mixture of unencrypted, encrypted, and/or signed data and cannot be verified."

Thank you for your consideration.

Mark Berry

dfinkelstein's picture

Although the fix was applied into a service pack release of 10.1.0, it did not make it into 10.1.2.

You're right, for this case there are some better ways we can try to alert you to the situation.  We have more options with email processing (we can explicity annotate the protected parts) and basically no options in the case of PGP Command Line (pretty much all we can do is return "success" or "failure").  I'll discuss the matter with the Product Manager responsible.

Regards,

--------

David Finkelstein

Symantec R&D

DJammy's picture

Sorry to hijack your thread but i am a brand new user to PGP, have just installed 10.2 which apparently has issues with our Sophos Antivirus.  Where can i get the 10.1 download as they FileConnect page only lets me download the latest version