Curve25519 ECDH encryption issue

NIIBE Yutaka gniibe at
Fri Apr 8 09:02:31 CEST 2016


It is possible for a person to (manually) craft an encrypted message
by Curve25519 ECDH with an ephemeral key V = O.  I say "manually",
because GnuPG itself never generates such an ephemeral key.

The recipient obtains the shared secret by calculating

	S = rV

where (r, R) is the recipient's key pair.

Because multiplying O by any scalar value is O, anyone can obtain the
shared secret, thus, can decrypt the "encrypted" message.

This means that it is possible to craft a
looking-like-encrypted-message which should be only decrypted by
recipient(s), but actually anyone can decrypt it without the recipient
private key.

Current implementation dumps core for such a message (because of
libgcrypt), but I'm modifying libgcrypt to be compatible to NaCl API
now, so it won't dumps core.

I think that expected GnuPG behavior in this case is returns an error,
not decrypting the message.  Is it right?

I know that receiving an encrypted message does not necessarily means
that the information is classified or it is only the recipient who can
access the information (as the sender can do anything).


More information about the Gnupg-devel mailing list