weird behavior of symmetrically encrypted file

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jan 15 20:55:50 CET 2010


Hi Tobias--

On 01/15/2010 04:24 AM, Tobias wrote:
> Why do I get a passphrase ("3ity") which I can't remember having ever
> used in my life? Why does gpg regard it as correct but still not decrypt
> my file? And apart from these somewhat academical questions: Is there a
> way I can use the half-correct passphrase to refine (which means, speed
> up) my search for the truly correct one? If I can use it to
> significantly reduce the set of possible passphrases, it may save me
> some decades worth of blind guessing.

I suspect what you're seeing is a function of the way the OpenPGP
standard handles passphrase calculations for "Symmetrically Encrypted
Data Packet" [0].

Basically, the data that is being symmetrically encrypted is prefixed
with an IV that contains a duplicated chunk of 16 bits for a
non-normative "quick check" that the session key was correct.  This
means that 1 out of 2^16 choices of session key will falsely pass the
quick-check purely by chance, even though the material is actually not
correctly decrypted.

I don't know what brute force method you were using, but i suspect you
had about 5 bits of entropy per character in your enumerations.  For
example, all lower-case letters plus numbers is a total of 36
possibilities, which is just about 5 bits (2^5 == 32).  With 4-character
passphrases at 5 bits per character, you would run through 2^20
passphrases.  So it's likely that you exhausted 2^16 passphrases, and
stumbled into one of the "quick check" false positives.  This does *not*
mean that your data is insecure.  It means the quick check is advisory
at best.

(see also the security considerations related to this "quick check" [1])

hope this helps,

	--dkg

[0] http://tools.ietf.org/html/rfc4880#section-5.7
[1] http://tools.ietf.org/html/rfc4880#page-84

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100115/736361e3/attachment.pgp>


More information about the Gnupg-users mailing list