[Announce] Attack against OpenPGP encryption

David Shaw dshaw at jabberwocky.com
Sat Feb 12 02:18:15 CET 2005

On Fri, Feb 11, 2005 at 04:05:17PM -0500, Atom Smasher wrote:
> as is obvious by my questions, i don't understand the math.
> http://www.pgp.com/library/ctocorner/openpgp.html
>   	Consequently, PGP Corporation, GnuPG, and Hush Communications are
>   	all disabling the quick check for all public key-encrypted
>   	messages and files. However, we are all presently leaving it in
>   	for symmetric (passphrase) encrypted messages and files because we
>   	believe the benefit of the quick check is greater than the
>   	security risk from it. You will see this change in the next
>   	software release from each group.
> what about data that is encrypted with both a symmetric and asymmetric 
> key?

Even in those cases, the same methodology applies.  If the candidate
session key came from an assymmetric decryption, then the check is not
done.  If the candidate came from a passphrase mangling or
passphrase-encrypted session key, then the check is done.

>   	In our discussions with Mister and Zuccherato about their attack,
>   	we asked if they thought we should revise the protocol to address
>   	the problem. They told us they didn't think it was necessary-that
>   	an explanation of the issue and how to avoid it was good enough.
>   	As implementers of OpenPGP systems, however, we think we should
>   	update the protocol. People trust OpenPGP because we handle issues
>   	before they become real-world problems...
> how could this "become" a real world problem? is it conceivable that it 
> might be leveraged into a stronger attack?

Probably not, but once weakness is visible, it's generally good
practice to start moving to something better.  Look at MD5 - the first
weakness was shown in 1996, if I recall.  It took 8 years to get to
the serious break in 2004, but OpenPGP started migrating away from it
back in 1996, so the break wasn't as big a deal.

>   	We are suggesting in the working group that we amend OpenPGP so
>   	there is a new symmetric encryption system that has a secure quick
>   	check.
> like using a strong hash for the quick check? wouldn't that also benefit 
> symmetric encryption with no significant increase in computational 
> resources?

It wouldn't help or hurt the symmetric encryption.  It would just help
in being a quick check.


More information about the Gnupg-users mailing list