Chosen CipherText Vulnerability

Newton Hammet
Thu Oct 10 16:55:02 2002

Hello All,

   I am still struggling with the paper co-authored by Bruce Schneier,
among others, of "Implementation of Chosen-Ciphertext Attacks against
PGP and GnuPG.

   I have concluded that a key part of the vulnerability lies in the
recipient being snookered into sending back to "Mallory" the garbled
decrypted text as a quote.  If one never sends back the decrypted text
but a secure-hash of the decrypted text instead wouldn't this defeat
this type of attack?

   I propose the following rules to increase security when using GnuPG:

1. Never send back a decryption of anything to anybody, esp. if it is
tied back to a specific ciphertext.
2. Always have 2 different public keys one for signing and one for
encrpytion. (and never swap their roles)
3. Never sign messages, only secure hashes of messages. (I think GnuPG
does this by default).

 Wondering if anyone has some thoughts on this, or opinions, on whether 
or not these proposals are sound.

Regards, Newton