very short plaintexts symmetrically encrypted
vedaal at hush.com
vedaal at hush.com
Fri Jan 8 18:41:37 CET 2010
have been playing around with symmetrical encryption, and noticed
something potentially concerning.
Here are 6 symmetrically encrypted short plaintexts:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: passphrase sss
jA0ECgMIml0qMoARY01g0kUBK8nPnLhmkn4QbxiOvxyn9eqhkzr5mNIwcsw6VBZ1
NN7uq1nmgognD0kmJgkGDNU4oz/vV+ejeWLVO3SmcHUy6u6w+Ms=
=XWY4
-----END PGP MESSAGE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: passphrase sss
jA0ECgMIOndbAQsuZBZg0kUBK3MlS0cZpFiAOxryAQxURcemcoUU1rnXMWM4xKi0
W/uV+hvidvaT2TvSA/2xIbySxm73TXyls+bDlhD8MbZgtry6c9s=
=gedo
-----END PGP MESSAGE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: passphrase sss
jA0ECgMI/nsO48zBbAFg0kUBq5wMSDD10nk1pVWEEBpvqwGz7WJhJ7IeM8C98p9G
Yt5MC9ttIMAkPiBZCngeGdj8nPGb4euDc1zd+7kma6vOJ8O1REM=
=pCzG
-----END PGP MESSAGE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: passphrase sss
jA0ECgMIPXDKy8Ndvc1g0kYBknfVVdjMwW+69k1zvJ1r5UAh9RpGglqqhBTDx2t7
VUGkCEzvbvg4JgaPji7yxtV+/YWKDq3vNCryVvWgTqjvP72VdJcr
=mJ2N
-----END PGP MESSAGE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: passphrase sss
jA0ECgMIYMx0p8nncL1g0kYByHXygeoyXbZfxf5ePIYlXqxVfqthNhw62xjx7tFQ
VwzfcRlmL1ngUHs0LBPT5Ze/eBOOqIGc2DJKUlzJYy3dxBrEbiZ0
=3xs4
-----END PGP MESSAGE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: passphrase sss
jA0ECgMIJ3YsA8JXXAZg0kYBvvU4H/c+d/D+nu8Dbc4WM9fRdKuzu/MVBFOGeq/f
Z+pQA6buwnRzlvXsliFZkt1GHCDuxWKaqtR7RBzL6U8G4hUfJINx
=+8HY
-----END PGP MESSAGE-----
The first 3 encryptions are of the word 'no', while the second 3
are of the word 'yes'.
All 6 are with the same passphrase 'sss' and the same algorithm,
twofish.
For the first 3, where only 2 letters of plaintext are encrypted,
the pgp encryption (before the checksum), ends in the '=' padding
character.
For the second 3, where 3 letters are encrypted, the message ends
in a different character (no padding).
Should it be 'this easy' to distinguish the relative lengths of
plaintexts just by looking at the ascii armor??
Obviously, encryptions of much longer plaintexts can't be expected
to be the same size as that of a 2 character plaintext, and I
haven't taken a long careful look at this, but I suspect that by
increasing the plaintext one character at a time, and looking at
the encrypted outputs, it should be possible to detect 'ranges' of
plaintext length that correspond to a particular ciphertext length
for symmetrically encrypted unsigned messages.
At any rate, it seems disturbingly easy to distinguish between
symmetrically encrypted messages having only the word 'yes' or 'no'
just by 'looking' at the ciphertext.
--vedaal
More information about the Gnupg-users
mailing list