David Shaw <ds...@jabberwocky.com> writes: > In addition to the size and type information, there is also an > interesting attack that can be done against speculative key IDs. It > doesn't (directly) help a third party know who the recipients are, but > it does let any recipient try to confirm a guess as to who another > recipient might be.
> Let's say you encrypt a message to Alice and Baker and hide the key > IDs. Alice gets the message and knows there is one other recipient > aside from herself. She considers who the message came from and what > the message was about and makes an educated guess that the other > recipient is Baker. To confirm her guess, all Alice needs to do send > a specially rigged speculative key ID message to Baker. If Baker > responds, then Alice knows he was the other recipient. Would that be by reusing the session key? Or are there other properties that we can mess with? How about, say I know the session key and the public encryption key of the suspect, can't I just encrypt the session key to that public key and see if it comes out the same? > Throw-keyids has some good usages (posting a message for pickup in a > public place, for example), but it's just a tool. It's important not > to rely solely on it. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
pgpfhwPcW0vlp.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
