--override-session-key $PASS simple brute force attack vulnerability?

Brian M. Carlson karlsson@hal-pc.org
Mon Jul 15 13:45:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 15, 2002 at 10:55:20AM +0100, john clark wrote:
> --override-session-key $PASS simple brute force
> attack vulnerability?
> hi guys,
> 	Call me naive, but...
> 	I noticed that on --show-session-key option, the
> structure of the
> session key is composed of the cipher-algo code plus
> lotsa random
> numerals and upper case characters, but no special
> characters.

This is merely some random encoding gpg uses. See below.
> gpg: session key:=20
>                                                      =20
>           =20
> "9:4653465768797E97F6863768674FG464675676689DBFE3SD599B7662D4DF98B1"
> 	Then there is a possibility to brute force a
> particular
> public-key encrypted message via the session key
> without having the
> secret-key, right?=20

Well, yes. But the amount of effort is not believed to be feasible. If
you can brute force an OpenPGP session key, please tell me how. We will
both be very rich. ;-)

Remember that it took distributed.net how long to break DES (56 bits)?
And they're still working on RC5-64.

But really, if you're getting at what I think you're getting at, let me
stop you right now. The session key is, in reality, 128, 168, 192, or
256 bits long, depending on the algorithm. It is raw bits, encoded as
bytes. However, what you see above is just some other encoding of it, so
that you can type it in at the prompt. Otherwise, if one of those bytes
was 0x10 (LF), then you wouldn't be able to override the session key,
now would you?
> 	And if this is the case, then it's much better to use
> long cipher
> algos like Rijndael256 and Twofish to avoid this risk?

Yes, if you believe such algos are secure. I read somewhere that certain
types of algos (including Rijndael with 256-bit only) have certain
properties in the s-boxes, I think, that made them bad choices. So I
prefer Rijndael 192.

You can see my preferences here:
	Cipher: 3DES, BLOWFISH, CAST5, AES192
	Hash: RIPEMD160, TIGER192, SHA1 (that is a nasty extra SHA1 that
	shouldn't be there)
	Compression: ZLIB, ZIP, Uncompressed
	Features: MDC

Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553=
You single-handedly fought your way into this hopeless mess.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.