On Tuesday, November 19, 2013 at 3:02 PM, "Peter Lebbing" 
<pe...@digitalbrains.com> wrote:
>
>On 19/11/13 18:14, ved...@nym.hush.com wrote:
>> Why does gnupg give these types of error message, as opposed to 
>simply
>> stating  'decryption failed: bad passphrase' ??
>> 
>> What kind of relationship is there between the number listed for 
>the
>> 'unknown algorithm' and the passphrase string that was given
>
>The passphrase is used to decrypt the concatenation of an octet 
>specifying
>what cipher was used for the symmetrically-encrypted data packet 
>and the key
>for that data packet. If you give the wrong passphrase, this comes 
>out as
>random rubbish, and that first octet specifying the cipher for the 
>data is
>rubbish as well. This is what GnuPG reports. There is no check if 
>the
>decryption was succesful; it just results in garbage. After a few 
>tens of
>tries, I suppose you can actually hit the case where the algorithm
>identifier is something usable, and GnuPG will probably try to 
>decrypt the
>data packet with the rubbish it got from the symmetrically 
>encrypted session
>key packet :).


>There are potentially two symmetric ciphers at play, one to encrypt the
>session key, and one to encrypt the data.

=====

But this isn't the way hybrid gnupg messages work.

If a message is encrypted to two different keys,
gnupg will use the same symmetric algorithm to encrypt the session key to the 
public key, and also the plaintext to the ciphertext.

If the message is encrypted to one public key, and also encrypted symmetrically 
instead of to a second public key, then the symmetric algorithm used by gnupg 
is the same for the encryption of the session key to the public key, as well as 
the session key to the symmetrically encrypted part, as well as the encryption 
of the plaintext.

Gnupg does not use one symmetric algorithm to encrypt the session key, and then 
another to encrypt the message.
The user can choose 'which' symmetric algorithm to use, but it will be the same 
for both.

The symmetric algorithm is known, and is discoverable from gpg list-packets or 
from pgp-dump.

My question is, is there oracle behavior on gnupg's part which will allow an 
attack on the string-to-key part of the symmetric encryption?

If an attacker knows which symmetric algorithm was used, then concentrating of 
the first few characters of the passphrase, and trying variations of those, 
until gnupg identifies the correct algorithm, 
then gnupg may 'leak' the first few characters of the passphrase when the 
correct algorithm is identified, even if the message is not yet decrypted.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to