dshaw at jabberwocky.com
Tue Mar 22 20:37:08 CET 2011
On Mar 22, 2011, at 3:17 PM, Jerome Baum wrote:
> David Shaw <dshaw at jabberwocky.com> writes:
>> Hmm. I'm not sure you and I are on the same page with this attack. I
>> don't think that Alice's rigged message to Baker necessarily needs to
>> be forged to come from the original sender. Alice can send the
>> message to Baker as herself, with no special signing or other trickery
>> to fool Baker about the origin of the message. She can even sign it
>> (as herself) if she wants. The contents of the message just need to
>> be something Baker would naturally reply to.
> Yeah I got a bit carried off there. So any way to counter that, besides
> keeping a list of (hash(cryptd-text), hash(session-key | random-parts))
> to warn you if one is reused? Obviously that is a pretty dumb way, so is
> there any way at all to counter a session-key-reuse attack?
Probably the easiest way is to not send messages with speculative key IDs encrypted to more than one recipient. :)
That ensures that Alice knows as little as possible about the other recipients (including whether there are any in the first place). It does put an additional burden on the sender, though, as they now need to send out more messages (which might be hard for some senders).
More information about the Gnupg-users