very short plaintexts symmetrically encrypted

vedaal at hush.com vedaal at hush.com
Fri Jan 8 18:41:37 CET 2010 

have been playing around with symmetrical encryption, and noticed 
something potentially concerning.

Here are 6 symmetrically encrypted short plaintexts:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32) 
Comment: passphrase  sss

jA0ECgMIml0qMoARY01g0kUBK8nPnLhmkn4QbxiOvxyn9eqhkzr5mNIwcsw6VBZ1
NN7uq1nmgognD0kmJgkGDNU4oz/vV+ejeWLVO3SmcHUy6u6w+Ms=
=XWY4
-----END PGP MESSAGE-----


-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32) 
Comment: passphrase  sss

jA0ECgMIOndbAQsuZBZg0kUBK3MlS0cZpFiAOxryAQxURcemcoUU1rnXMWM4xKi0
W/uV+hvidvaT2TvSA/2xIbySxm73TXyls+bDlhD8MbZgtry6c9s=
=gedo
-----END PGP MESSAGE-----


-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32) 
Comment: passphrase  sss

jA0ECgMI/nsO48zBbAFg0kUBq5wMSDD10nk1pVWEEBpvqwGz7WJhJ7IeM8C98p9G
Yt5MC9ttIMAkPiBZCngeGdj8nPGb4euDc1zd+7kma6vOJ8O1REM=
=pCzG
-----END PGP MESSAGE-----




-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32) 
Comment: passphrase  sss

jA0ECgMIPXDKy8Ndvc1g0kYBknfVVdjMwW+69k1zvJ1r5UAh9RpGglqqhBTDx2t7
VUGkCEzvbvg4JgaPji7yxtV+/YWKDq3vNCryVvWgTqjvP72VdJcr
=mJ2N
-----END PGP MESSAGE-----


-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32) 
Comment: passphrase  sss

jA0ECgMIYMx0p8nncL1g0kYByHXygeoyXbZfxf5ePIYlXqxVfqthNhw62xjx7tFQ
VwzfcRlmL1ngUHs0LBPT5Ze/eBOOqIGc2DJKUlzJYy3dxBrEbiZ0
=3xs4
-----END PGP MESSAGE-----


Version: GnuPG v1.4.10 (MingW32) 
Comment: passphrase sss

jA0ECgMIJ3YsA8JXXAZg0kYBvvU4H/c+d/D+nu8Dbc4WM9fRdKuzu/MVBFOGeq/f
Z+pQA6buwnRzlvXsliFZkt1GHCDuxWKaqtR7RBzL6U8G4hUfJINx
=+8HY
-----END PGP MESSAGE-----


The first 3 encryptions are of the word 'no', while the second 3 
are of the word 'yes'.

All 6 are with the same passphrase 'sss' and the same algorithm, 
twofish.

For the first 3, where only 2 letters of plaintext are encrypted,
the pgp encryption (before the checksum), ends in the '=' padding 
character.

For the second 3, where 3 letters are encrypted, the message ends 
in a different character (no padding).


Should it be 'this easy' to distinguish the relative lengths of 
plaintexts just by looking at the ascii armor??  


Obviously, encryptions of much longer plaintexts can't be expected 
to be the same size as that of a 2 character plaintext, and I 
haven't taken a long careful look at this, but I suspect that by 
increasing the plaintext one character at a time, and looking at 
the encrypted outputs, it should be possible to detect 'ranges' of 
plaintext length that correspond to a particular ciphertext length 
for symmetrically encrypted unsigned messages.

At any rate, it seems disturbingly easy to distinguish between 
symmetrically encrypted messages having only the word 'yes' or 'no' 
just by 'looking' at the ciphertext.


--vedaal

More information about the Gnupg-users mailing list