have been playing around with symmetrical encryption, and noticed something potentially concerning.
Here are 6 symmetrically encrypted short plaintexts: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIml0qMoARY01g0kUBK8nPnLhmkn4QbxiOvxyn9eqhkzr5mNIwcsw6VBZ1 NN7uq1nmgognD0kmJgkGDNU4oz/vV+ejeWLVO3SmcHUy6u6w+Ms= =XWY4 -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIOndbAQsuZBZg0kUBK3MlS0cZpFiAOxryAQxURcemcoUU1rnXMWM4xKi0 W/uV+hvidvaT2TvSA/2xIbySxm73TXyls+bDlhD8MbZgtry6c9s= =gedo -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMI/nsO48zBbAFg0kUBq5wMSDD10nk1pVWEEBpvqwGz7WJhJ7IeM8C98p9G Yt5MC9ttIMAkPiBZCngeGdj8nPGb4euDc1zd+7kma6vOJ8O1REM= =pCzG -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIPXDKy8Ndvc1g0kYBknfVVdjMwW+69k1zvJ1r5UAh9RpGglqqhBTDx2t7 VUGkCEzvbvg4JgaPji7yxtV+/YWKDq3vNCryVvWgTqjvP72VdJcr =mJ2N -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIYMx0p8nncL1g0kYByHXygeoyXbZfxf5ePIYlXqxVfqthNhw62xjx7tFQ VwzfcRlmL1ngUHs0LBPT5Ze/eBOOqIGc2DJKUlzJYy3dxBrEbiZ0 =3xs4 -----END PGP MESSAGE----- Version: GnuPG v1.4.10 (MingW32) Comment: passphrase sss jA0ECgMIJ3YsA8JXXAZg0kYBvvU4H/c+d/D+nu8Dbc4WM9fRdKuzu/MVBFOGeq/f Z+pQA6buwnRzlvXsliFZkt1GHCDuxWKaqtR7RBzL6U8G4hUfJINx =+8HY -----END PGP MESSAGE----- The first 3 encryptions are of the word 'no', while the second 3 are of the word 'yes'. All 6 are with the same passphrase 'sss' and the same algorithm, twofish. For the first 3, where only 2 letters of plaintext are encrypted, the pgp encryption (before the checksum), ends in the '=' padding character. For the second 3, where 3 letters are encrypted, the message ends in a different character (no padding). Should it be 'this easy' to distinguish the relative lengths of plaintexts just by looking at the ascii armor?? Obviously, encryptions of much longer plaintexts can't be expected to be the same size as that of a 2 character plaintext, and I haven't taken a long careful look at this, but I suspect that by increasing the plaintext one character at a time, and looking at the encrypted outputs, it should be possible to detect 'ranges' of plaintext length that correspond to a particular ciphertext length for symmetrically encrypted unsigned messages. At any rate, it seems disturbingly easy to distinguish between symmetrically encrypted messages having only the word 'yes' or 'no' just by 'looking' at the ciphertext. --vedaal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
