how vulnerable is "hidden-encrypt-to"

vedaal at vedaal at
Tue Aug 21 19:55:47 CEST 2012

On Tue, 21 Aug 2012 11:59:20 -0400 Jens Lechtenboerger 
<cloudpg at> wrote:

>Also, "different" would need to be random and of sufficient


It is.  See RFC4880, 
(it's one of the 'MUST' implementations for all open-pgp's)

(specific sections will be quoted below)


>I'm not concerned whether the average user can do this right now 
>or not.  I'm concerned about experts (that could also provide 
>tools to average users).


Even the experts should not be able to.
See the quoted sections below.

=====[ begin quoted sections ]=====

5.1.  Public-Key Encrypted Session Key Packets (Tag 1)


Note that when an implementation forms several PKESKs with one
session key, forming a message that can be decrypted by several 
   the implementation MUST make a new PKCS#1 encoding for each key.


7.2 RSAES-PKCS1-v1_5

* It is recommended that the pseudorandom octets in step 2 in
      Section 7.2.1 be generated independently for each encryption
      process, especially if the same data is input to more than 
      encryption process.  Haastad's results [24] are one 
motivation for
      this recommendation.

    * The padding string PS in step 2 in Section 7.2.1 is at least 
      octets long, which is a security condition for public-key
      operations that makes it difficult for an attacker to recover 
      by trying all possible encryption blocks.

13.1.1.  EME-PKCS1-v1_5-ENCODE


   k  = the length in octets of the key modulus

   M  = message to be encoded, an octet string of length mLen, 
        mLen <= k - 11


   EM = encoded message, an octet string of length k

   Error:   "message too long"

     1. Length checking: If mLen > k - 11, output "message too 
long" and

     2. Generate an octet string PS of length k - mLen - 3 
consisting of
        pseudo-randomly generated nonzero octets.  The length of PS 
        be at least eight octets.

     3. Concatenate PS, the message M, and other padding to form an
        encoded message EM of length k octets as

        EM = 0x00 || 0x02 || PS || 0x00 || M.

     4. Output EM.

=====[ end quoted sections ]=====



If you are interested in looking into this rigorously further, I 
recommend you contact Professor Dan Boneh.

(He is an authority on RSA, teaches a free online Cryptography 
course at Stanford University, and has a clear style and is 
reasonably accessible.)

More information about the Gnupg-users mailing list