Bug in GnuPG

Werner Koch wk at gnupg.org
Tue Jan 10 21:38:51 CET 2006 

On Tue, 10 Jan 2006 12:48:34 -0600, Joe Vender said:

> the one for the last, non-anonymous prompt. The message WAS encrypted
> to this secret key. Its the only secret key on my ring for this test. So,
> why doesn't it decrypt the message after the first anonymous prompt?

Because it has not yet seen a session key encrypted to you.  I agree
that it would be better to try the known keys first.

> Yes, the message was encrypted to my key. If it's not going to actually
> use my passphrase to try to decrypt the message, why ask for it?

It tried.  For hidden recipients we need to do tria decryptions and
thus we need the passpharse of all secret keys available.

> Then why, if instead of encrypting to myself non-anonymously, I encrypt to myself
> anonymously along with the other anonymous recipients, I only get the anonymous
> passphrase prompt once, and upon successful passphrase entry it goes through the
> "anonymous recipient: trying secret key [my_secret_keyid]" as many times as there

That message is a diagnostic to tell that there is a hidden recipient.

> I don't understand. If the message was encrypted to my key, and the anonymous prompt states that its checking my key, then why doesn't it decrypt the message after I enter the passphrase correctly?

Look at such a message

   PK_hidden_recipient_1(session_key)
   PK_hidden_recipient_2(session_key)
   PK_joe_vender(session_key)
   ENC_session_key(message)

gpg sees tehse packages one after the other.  So first we have a
public key encrypted session key encrypted to the hidden_recipient_1.
Obviously we don't known ahead which secret key to use for a hidden
recipient.  Thus we do trial decryptions

 for a in secring.gpg do
    PKDECRYPT_a (PK_hidden_recipient_1(session_key))
 done

if this succeeded with one of the secret keys, we are done and stop.
However it didn't worked and we can conclude that the
hidden_recipients is not one of the keys in secring.gpg.  

Now we go on and do the same, this time:

 for a in secring.gpg do
    PKDECRYPT_a (PK_hidden_recipient_2(session_key))
 done

Same result as above.

Now we are at the third packet and gpg instantly knows that it can do

  a = secring.gpg(joe_vender)
  PKDECRYPT_a (PK_joe_vender(session_key))

You are asked for the passphrase several times because each PKDECRYPT
operation requires a passphrase to prepare the key for the actual
decryption.



Salam-Shalom,

   Werner

More information about the Gnupg-devel mailing list