how vulnerable is "hidden-encrypt-to"

vedaal at nym.hush.com vedaal at nym.hush.com
Tue Aug 21 19:55:47 CEST 2012 

On Tue, 21 Aug 2012 11:59:20 -0400 Jens Lechtenboerger 
<cloudpg at informationelle-selbstbestimmung-im-internet.de> wrote:

>Also, "different" would need to be random and of sufficient
>length...

=====

It is.  See RFC4880, 
(it's one of the 'MUST' implementations for all open-pgp's) 

http://tools.ietf.org/html/rfc4880

(specific sections will be quoted below)

=====

>I'm not concerned whether the average user can do this right now 
>or not.  I'm concerned about experts (that could also provide 
attack
>tools to average users).

=====

Even the experts should not be able to.
See the quoted sections below.


=====[ begin quoted sections ]=====


5.1.  Public-Key Encrypted Session Key Packets (Tag 1)

...

Note that when an implementation forms several PKESKs with one
session key, forming a message that can be decrypted by several 
keys,
   the implementation MUST make a new PKCS#1 encoding for each key.

...


7.2 RSAES-PKCS1-v1_5

* It is recommended that the pseudorandom octets in step 2 in
      Section 7.2.1 be generated independently for each encryption
      process, especially if the same data is input to more than 
one
      encryption process.  Haastad's results [24] are one 
motivation for
      this recommendation.

    * The padding string PS in step 2 in Section 7.2.1 is at least 
eight
      octets long, which is a security condition for public-key
      operations that makes it difficult for an attacker to recover 
data
      by trying all possible encryption blocks.

...
	  
13.1.1.  EME-PKCS1-v1_5-ENCODE

   Input:

   k  = the length in octets of the key modulus

   M  = message to be encoded, an octet string of length mLen, 
where
        mLen <= k - 11

   Output:

   EM = encoded message, an octet string of length k

   Error:   "message too long"

     1. Length checking: If mLen > k - 11, output "message too 
long" and
        stop.

     2. Generate an octet string PS of length k - mLen - 3 
consisting of
        pseudo-randomly generated nonzero octets.  The length of PS 
will
        be at least eight octets.

     3. Concatenate PS, the message M, and other padding to form an
        encoded message EM of length k octets as

        EM = 0x00 || 0x02 || PS || 0x00 || M.

     4. Output EM.


=====[ end quoted sections ]=====


vedaal

n.b.

If you are interested in looking into this rigorously further, I 
recommend you contact Professor Dan Boneh.

http://crypto.stanford.edu/~dabo/

(He is an authority on RSA, teaches a free online Cryptography 
course at Stanford University, and has a clear style and is 
reasonably accessible.)

More information about the Gnupg-users mailing list