Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

71%
+3 −0
Q&A Can a malicious party add false recipients (who are listed but can't really decrypt) to an encrypted GPG message?

In gpg(1), one normally adds recipients of an encrypted message with --recipient. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will kno...

0 answers  ·  posted 8mo ago by alx‭  ·  edited 8mo ago by alx‭

Question GPG
#6: Post edited by user avatar alx‭ · 2024-03-29T15:39:06Z (8 months ago)
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • Related: <https://github.com/neomutt/neomutt/pull/4221>
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows adding hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • Related: <https://github.com/neomutt/neomutt/pull/4221>
#5: Post edited by user avatar alx‭ · 2024-03-29T01:06:38Z (8 months ago)
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • Related: <https://github.com/neomutt/neomutt/pull/4221>
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • Related: <https://github.com/neomutt/neomutt/pull/4221>
#4: Post edited by user avatar alx‭ · 2024-03-29T01:06:27Z (8 months ago)
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • Related: <https://github.com/neomutt/neomutt/pull/4221>
#3: Post edited by user avatar alx‭ · 2024-03-29T01:05:59Z (8 months ago)
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to create an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid).
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to craft an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid), listing it as a recipient.
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
#2: Post edited by user avatar alx‭ · 2024-03-29T01:04:49Z (8 months ago)
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to create an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid).
  • Is that possible?
  • In gpg(1), one normally adds recipients of an encrypted message with `--recipient`. Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.
  • gpg(1) also allows to add hidden recipients, with `--hidden-recipient`. Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.
  • I wonder if a malicious party would be able to create an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid).
  • Is that possible?
  • Related: <https://stackoverflow.com/questions/5877969/how-do-i-list-information-for-a-gnupg-encrypted-message>
#1: Initial revision by user avatar alx‭ · 2024-03-29T01:04:32Z (8 months ago) 
Can a malicious party add false recipients (who are listed but can't really decrypt) to an encrypted GPG message?
In gpg(1), one normally adds recipients of an encrypted message with `--recipient`.  Those recipients will be able to decrypt the message, and their key ID will appear unencrypted, so anyone will know that they are able to decrypt it.

gpg(1) also allows to add hidden recipients, with `--hidden-recipient`.  Those recipients will be able to decrypt the message, but a third party won't know that they are able to decrypt it.

I wonder if a malicious party would be able to create an encrypted message, and falsely claim that someone else would be able to decrypt it (not necessarily with gpg(1), I wonder if one can craft a tool that creates a message that gpg(1) will interpret as valid).

Is that possible?
GPG