Can a malicious party add false recipients (who are listed but can't really decrypt) to an encrypted GPG message?

In gpg(1), one normally adds recipients of an encrypted message with --recipient. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.

gpg(1) also allows adding hidden recipients, with --hidden-recipient. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.

I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.

is a duplicate

This question has been asked before and has already been answered. It should be marked as a duplicate.

Please enter the URL of the proposed duplicate in the details field below.

not constructive

This question cannot be answered in a way that is helpful to anyone. It's not possible to learn something from possible answers, except for the solution for the specific problem of the asker.

Communities

Can a malicious party add false recipients (who are listed but can't really decrypt) to an encrypted GPG message?

1 comment thread

0 answers