-2

Suppose a file (say, a text file source.txt) was encrypted into danger.gpg using GPG symmetric encryption on a compromised device. Since the device is compromised, danger.gpg could have been created by a modified program masquerading as GPG, or the encrypted file could have been modified after running GPG. The attacker knows the encryption key since it was entered on the compromised device in order to create danger.gpg.

If I try to decrypt danger.gpg on a clean device, do I risk infecting it by running the GPG symmetric decryption on the malicious file?

Perron Aeed
  • 7
  • 2
  • So the malicious code has been encrypted? That means that it cannot be executed. – schroeder Apr 10 '19 at 18:58
  • @schroeder: I edited the question to clarify that the malicious code might have been added after encryption, with knowledge of the key/passphrase. – Perron Aeed Apr 10 '19 at 19:15
  • By your rules, yes. You've said that the attacker has full control control over the contents of the file, so yes, it could theoretically contain malicious contents. – Dan Landberg Apr 10 '19 at 19:27
  • but do I risk executing that potentially malicious code in the process of running the decryption? – Perron Aeed Apr 10 '19 at 20:51

1 Answers1

0

No, but

About

By running gpg only you just may create a new file. This file could be a virus, hold a virus or point to a virus, but anyway gpg won't even try to execute them by himself.

If you're reading this file through a complex integrated system who will try to automatically execute some decrypted data, this could be an issue, but it's not a feature of gpg.

Of course, there could be some issues

  • decrypt datas to standard output, this could permit to trig some terminal bugs,
  • bug in gpg binary I don't even know something like this, but as nothing is perfect, we could imagine some zero day exploit able to break gpg himself, but...

About

Regarding your question, if any host is compromised, encrypted datas comming from this host is subject to caution. Using symetric or asymetric encryption don't matter... (As using gpg, ssl or any other way don't matter...)

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32