how vulnerable is "hidden-encrypt-to"

vedaal at nym.hush.com vedaal at nym.hush.com
Mon Aug 20 22:42:31 CEST 2012 

On Mon, 20 Aug 2012 13:57:41 -0400 Jens Lechtenboerger 
<cloudpg at informationelle-selbstbestimmung-im-internet.de> wrote:

>In contrast, I interpreted the original question in terms of
>recipient anonymity: Bob wants to encrypt a message to some
>undisclosed list of recipients (say, including Alice and Eve), and
>nobody should be able to figure out who (else) is on the list.
>Clearly, the fact whether I can decrypt the message tells me 
>whether
>I'm on the list or not; however, I should not be able to learn 
>more
>than that.  In particular, I should not be able to identify any
>other recipient.

=====

The simplest way to do that is to send the message encrypted to 
only one recipient at a time.

Now, if the sender *wanted* to mislead, she could, in addition to 
sending encrypted messages to the 'real' people she wanted to send 
to, she could also use hidden-encrypt to anyone else's public key, 
and send people on a wild chase of trying to see who else it was 
encrypted to.

=====

>In that situation, my previous posting was meant to suggest that 
>Eve (if she has access to the public RSA key of Alice used by Bob) 

>will be able to figure out that the message was also encrypted to 
>Alice.

=====

I'm not sure about this.

The way RSA works, is that the session key has *padding* added 
before it is encrypted to a public key.
It may even have *different* padding for each public key it is 
encrypted to in the same gnupg command.
(Maybe those who really know about this, could comment if the 
padding is the same or different for each public key RSA encrypted 
packet in one encrypted gnupg message).

If so, and there is different padding, then you will not be able to 
determine whose key it is just by trying to re-encrypt the session 
key to a trial list of public keys, and comparing the ciphertext.

Even if it is not so, (i.e. that there is no 'different' padding), 
it will not be easy for an average user to re-encrypt, as (afaik), 
gnupg doesn't list the padding upon decryption.
 
(It could be done though, by decrypting that packet directly with 
RSA tools,
but probably not by the averaqe user :-)  ...  )


vedaal

More information about the Gnupg-users mailing list