Oracle behavior in Gnupg? // (was 'possible bug in gpg?')

vedaal at nym.hush.com vedaal at nym.hush.com
Mon Jul 30 16:45:19 CEST 2012 

While playing around with --override-session key , have noticed 
that gpg gives many different sets of error messages when trying 
out different session keys.

Here is an interesting example:

First, the gnupg encrypted text:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: encrypted to my default public key

hQIMA1BvT6HTX7GGAQ/+KUw1RNONlmWW/RvNzAlZmS4cOUm7ioVnJc8kgtSgnBbS
k952Lb6x5VaUyUbvXoNTeEdQGF1wJrDnV8Oz6VwqG/ZrlnUGOEFlGS9Mr2RZiktV
eqG7jUFWnD9yyedbWqFJv9MND7QlAuZ1uikKPfATjrGWq+fkqb1bFAT0745BEaOL
7VQ988rUsjf7TrS0+NIIA5qjLZeS49vaUY/ZDqeVsaliweTkegBzhWftpMz4dDpE
CxcAEZmEs4sleJq9BE0K/3A1U/1KDtzaYYRcsNFsIR6o3HhQyQ52zpmHwKY7WWc2
4ezMldyrcUGG7XSNGn2bkyIOfJmg7/1SJbpAjv6BjkH5G1IBY8R/ai4Lis58yeSr
6CbXDhQgowMRB1IH562SCSJyQIyu/GV+U5FBOOLkhWmqQjaNXP2LBgioMiyuBzsg
gyY+rDHX4R4iql7oLflPPQVGZWjtAYw4Q96Iv2HzCZH7Q3H4LRONAk1woQjyT3as
xKyxHNtqBhHfenTNep0ymeExYtcIsKYxLPj4WLRQ90rrOr1zY+N2eaWfDtIcEiAI
Fgf20sHePnFm+EqwQQF3MrdhHFWdQzX+BuXDHJ+maRWWeXNNMjSAF3LjP2i027zT
GglSUQOtRG7WGepM5sp2nNe+rfsCyHC3lIlujPHZ/LsdOi2IWeKKjOwUnfrp1LHS
SAE9acMxZ2laREHDcIX2N5GdtdYp3EoS/1mMIeKEN+i2PuSaX8Xq6ToexVfpRvcs
Mi6vGoldgMiOHN06g81oJdI4QYuQfudbEw==
=x/RS
-----END PGP MESSAGE-----

here is the REAL session key: 
10:A57B66F81B20273C587619AEA4C839D376DF50D23C946E97FB290D01CE
9E1F8D

-----

Here is a 'starting' trial session key
(chosen as a start as it's easy to describe and keep track of the 
changes)
10:123456789a123456789b123456789c123456789d123456789e123456789f1234

Here is the gpg output:

gpg --override-session-key 10:123456789a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
        data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: 72
        mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
      "vedaal nistar (previous addresses were spam flooded) 
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: [don't know]: invalid packet (ctb=37)
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
gpg: onepass_sig with unknown version 146
-----

Here is the session key with the REAL first 4 characters of the 
session key:

10:A57B56789a123456789b123456789c123456789d123456789e123456789f1234

Here is the gpg output:

gpg --override-session-key 10:A57B56789a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
        data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: 72
        mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
      "vedaal nistar (previous addresses were spam flooded) 
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
:unknown packet: type 50, length 152
dump: 36 53 de 6e 59 4d d2 0f  f4 09 98 87 31 bc a9 3c  1e fd 11 8a 
ae 92 5e 14
  24: b8 d4 64 f5 be EOF
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
-----

Have not tried all the 2^16 possiblities for the first 4 
characters, but the few that I have tried lead to the same error 
message as the first trial.

Could this be Oracle behavior on Gnupg's part, leading to a leak of 
the first 4 characters of the session key?

fwiw,

This doesn't extend to finding out the next 4 real characters of 
the session key.

Here is the gpg output when the first 8 real characters are used:

gpg --override-session-key 10:A57B66F89a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
        data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: 72
        mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
      "vedaal nistar (previous addresses were spam flooded) 
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
----

Here is the gpg output when only the 2nd real 4 characters are 
used:

gpg --override-session-key 10:123466F89a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
        data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: 72
        mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
      "vedaal nistar (previous addresses were spam flooded) 
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: [don't know]: invalid packet (ctb=32)
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet

Borh examples give error messages identical to the first one, 
except that when the first 8 real characters are used, the error 
message of 'gpg: [don't know]: invalid packet (ctb=37)' is not 
present,
and when the second real 4 characters are used, there is a 
'different' error message of 'gpg: [don't know]: invalid packet 
(ctb=32)'.

Anything real about the 'oracle' action in any of this ?


vedaal

More information about the Gnupg-users mailing list