MUA option "encrypt to self" weakness in certain situations?

[David Shaw]

On Sun, Apr 25, 2004 at 03:49:13PM +0200, Malte Gell wrote:
> Many MUA's or plugins allow to encrypt a message not only to the 
> recipient's key, but to your own key to keep the sent message secret on 
> your own machine.
> 
> But, can this strategy be a possible weakness? When using such an option 
> the message is now encrypted to 2 keys with the same session key: an 
> attacker can now chose which key to attack to restore the message. 
> 
> Example: I have a 2048 bit ELG-E subkey and send a message to a person 
> whose encryption key has 4096 bit, I have enabled the MUA's "encrypt to 
> self" option. So the encrypted message contains the session key twice, 
> encrypted to 2 keys. The overall security is now limited to the shorter 
> key. The recipient is confident his long key protects the message to 
> him, but actually the "encrypt to self" option limits this protection 
> to the shorter key.
> 
> This could mean that if someone (=recipient) uses a long key it may be 
> rendered "useless" without intention if the sender has a short(er) key 
> and uses such an "encrypt to self" option in his MUA. Is this thought 
> correct?

It's sort of correct, but not really a problem in the real world.  It
is true that the message is only as "safe" as the smallest key it is
encrypted to, but even the smaller key in your example is vastly
stronger than most attackers.

To put it another way, if your attacker can't climb more than 1000
feet, adding alligators and a moat to your 1001 foot wall doesn't
matter much.

It all depends on the attacker.

David