Security glitch with 3DES and -c (was: bug?: gpg 1.0 symmetric crypto 3DES problems with PGP 5.0/6.5.1)

[Werner Koch]

Ulf Möller <ulf at fitug.de> writes:

> -    a->bufcount = 0;
> +    a->bufcount = a->finalized = 0;

Aiiiih, this md_reset() is only used for mapping passphrases to keys
and only if the keylength is larger than the length of the hash.  This
is true for 3DES ( 192 > 160 ).  It is not used for public key
encryption.

There is a small security impact with this bug:  The effective size of
the key is 140 bits (actually it is 160 but we don't use the high
bits) and not 168 bits.  However I don't believe that any passphrase
used is worth 90 bits (due to the construction of 3DES, you should not
compare the 168 bits to the 128 bits of another algorithm - it's only
about 110 bits).  So don't be worried.

Now the question is what to do to allow old symmetric only encrypted
messages to be decrypted.  Should I add an --emulate-3des-s2k-bug ?


-- 
Werner Koch at guug.de           www.gnupg.org           keyid 621CC013