dshaw at jabberwocky.com
Tue Mar 22 16:28:25 CET 2011
On Mar 22, 2011, at 10:44 AM, Jerome Baum wrote:
> David Shaw <dshaw at jabberwocky.com> writes:
>> In addition to the size and type information, there is also an
>> interesting attack that can be done against speculative key IDs. It
>> doesn't (directly) help a third party know who the recipients are, but
>> it does let any recipient try to confirm a guess as to who another
>> recipient might be.
>> Let's say you encrypt a message to Alice and Baker and hide the key
>> IDs. Alice gets the message and knows there is one other recipient
>> aside from herself. She considers who the message came from and what
>> the message was about and makes an educated guess that the other
>> recipient is Baker. To confirm her guess, all Alice needs to do send
>> a specially rigged speculative key ID message to Baker. If Baker
>> responds, then Alice knows he was the other recipient.
> Would that be by reusing the session key? Or are there other properties
> that we can mess with?
Sorry, yes, that's re-using the session key (didn't mean to be mysterious). Since Alice, as a recipient, can find the session key, she can encrypt a new message to Baker with that session key, prefix it with the unknown recipient's encrypted session key, and send the whole message to Baker. If Baker can read it, then it reveals who the unknown recipient is.
Of course, if Baker can't read it, it might tip him off that Alice is probing him...
> How about, say I know the session key and the public encryption key of
> the suspect, can't I just encrypt the session key to that public key and
> see if it comes out the same?
Unfortunately there is random data in the encrypted session key format, so the test encryption would not match Baker's encrypted session key.
More information about the Gnupg-users