[Announce] Attack against OpenPGP encryption
dshaw at jabberwocky.com
Sat Feb 12 02:18:15 CET 2005
On Fri, Feb 11, 2005 at 04:05:17PM -0500, Atom Smasher wrote:
> as is obvious by my questions, i don't understand the math.
> Consequently, PGP Corporation, GnuPG, and Hush Communications are
> all disabling the quick check for all public key-encrypted
> messages and files. However, we are all presently leaving it in
> for symmetric (passphrase) encrypted messages and files because we
> believe the benefit of the quick check is greater than the
> security risk from it. You will see this change in the next
> software release from each group.
> what about data that is encrypted with both a symmetric and asymmetric
Even in those cases, the same methodology applies. If the candidate
session key came from an assymmetric decryption, then the check is not
done. If the candidate came from a passphrase mangling or
passphrase-encrypted session key, then the check is done.
> In our discussions with Mister and Zuccherato about their attack,
> we asked if they thought we should revise the protocol to address
> the problem. They told us they didn't think it was necessary-that
> an explanation of the issue and how to avoid it was good enough.
> As implementers of OpenPGP systems, however, we think we should
> update the protocol. People trust OpenPGP because we handle issues
> before they become real-world problems...
> how could this "become" a real world problem? is it conceivable that it
> might be leveraged into a stronger attack?
Probably not, but once weakness is visible, it's generally good
practice to start moving to something better. Look at MD5 - the first
weakness was shown in 1996, if I recall. It took 8 years to get to
the serious break in 2004, but OpenPGP started migrating away from it
back in 1996, so the break wasn't as big a deal.
> We are suggesting in the working group that we amend OpenPGP so
> there is a new symmetric encryption system that has a secure quick
> like using a strong hash for the quick check? wouldn't that also benefit
> symmetric encryption with no significant increase in computational
It wouldn't help or hurt the symmetric encryption. It would just help
in being a quick check.
More information about the Gnupg-users