Possible bug in gpg?

[David Shaw]

On Jul 29, 2012, at 9:29 AM, Johan Wevers wrote:

> On 29-07-2012 6:48, David Shaw wrote:
> 
>> To combat this, OpenPGP has two "quick check" bytes in the encrypted data packet.
>> Basically, they're a repetition of two random bytes from earlier in
> the message.
> 
> Does this not lead to a possible known-plaintext attack on gpg?

The attack a few years ago was chosen-ciphertext.  For those who don't recall, if you have a system that will decrypt messages submitted to it, and will return an error if the message doesn't decrypt (i.e. you've made an oracle), you can use this attack to get 2 bytes out of every cipher block in 2^15 attempts on average, per block.  It's not necessary for the attack, but if you know the first 2 bytes of the plaintext that helps start the chain (and in OpenPGP you can virtually always guess the contents of the first 2 bytes).

This is not a weakness of the cipher in question (it applies to all OpenPGP ciphers), but is due to the OpenPGP CFB "stutter" of the quick check.

Read the whole paper at http://eprint.iacr.org/2005/033.pdf  It's interesting work.

This happened before RFC-4880 was published, so there is some discussion of it in there as well.  It is why GnuPG (and possibly PGP - I don't recall offhand) ignores the quick check bytes when decrypting a public key encrypted message.  We do still use them for symmetric messages for obvious reasons, which is why the original poster saw the oddity he did.  I'm guessing he set up a brute force password cracker for that message and was surprised to see just how many passphrases "succeeded", but didn't manage to decrypt the message.

David