Oracle behavior in Gnupg? // (was 'possible bug in gpg?')

Thomas Harning Jr. harningt at gmail.com
Mon Jul 30 16:59:04 CEST 2012


On Mon, Jul 30, 2012 at 10:45 AM,  <vedaal at nym.hush.com> wrote:
> While playing around with --override-session key , have noticed
> that gpg gives many different sets of error messages when trying
> out different session keys.
>
... CUT ...

> Borh examples give error messages identical to the first one,
> except that when the first 8 real characters are used, the error
> message of 'gpg: [don't know]: invalid packet (ctb=37)' is not
> present,
> and when the second real 4 characters are used, there is a
> 'different' error message of 'gpg: [don't know]: invalid packet
> (ctb=32)'.
>
> Anything real about the 'oracle' action in any of this ?
>
>
> vedaal

Should we be worried about "oracle" behavior on a local running
application? It seems "oracle" behavior is all the rage even though it
makes ZERO sense on a local machine unless there is obfuscation
involved. On a local machine, you could take the data and just run the
algorithms yourself.

Does anyone run gpg on a server and let people send arbitrary data to
it? If so, then I'd suggest that a "quiet" execution be performed that
way only the exit code can be used that it's failure.

-- 
Thomas Harning Jr. (http://about.me/harningt)
Please support my wife as she runs her first marathon to raise $2,620 for
St Jude Children's Hospital - http://heroes.stjude.org/jenniferharning



More information about the Gnupg-users mailing list