OT: Padding Oracle Attacks

Werner Koch wk at gnupg.org
Fri Sep 24 10:13:27 CEST 2010

On Mon, 20 Sep 2010 23:13, nicholas.cole at gmail.com said:

> It isn't clear to me after reading that whether this kind of attack would
> be thwarted by the MDC or not.

First of all you can't mount a padding attack on an OpenPGP ciphertext
because CFB mode is used which does not need any padding by design.

The MDC was introduced to detect message manipulation for encrypted-only
messages.  The more common case is to sign and encrypt a message which
adds an explicit manipulation detection and would not need for an MDC;
we use it anyway.

Thwarting oracle attacks is never easy but there are some simple rules
you can follow: Do not return detailed error codes, batch up requests
and responses, detect the use of your service as an oracle (similar to
DoS prevention).  For OpenPGP this is in fact all easy doable because it
is not an online protocol.  If you try to use it with an online protocol
(i.e. through CGIs) you need to take the above precautions.  In any case
we tried to make it hard to use GPG as an oracle.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list