small security glitches

Post Carter post.carter at
Fri Mar 2 13:55:23 CET 2012

I know we've both read and understand the paper, so I think we just have
a terminology discrepancy here.  What is a bit confusing is using the words
encrypted vs. decrypted and ciphertext vs. cleartext when we're talking
about an attacker inserting contents into the message.
What I was trying to say was like this... 
1) Let's say the original sender encryptes a message.  It then looks like
this where "C" represents some bits of encrypted ciphertext:
2) Then, the attacker inserts some material of their own into the message,
denoted here with "P" for plaintext since it has not been subjected to
encryption.  The message now looks like this:
3) Next, the recipient "decrypts" the message.  Since at its lowest level
the encryption amounts to XOR'ing the message text against the secret
key, it essentially results in the flipping of each class of text. "C"
becomes "P" and "P" becomes "C":
4) In the attack scenario, when the recipient sends the "gibberish" to
the sender, they are sending the now "encrypted" part of the message
above denoted by "CC":  PPP -->CC<-- PP
5) The attacker intercepts and XOR's the gibberish "CC" against their 
original insertion "PP" from #2 to deduce the key.  Then they can decrypt
the original "CCCCC" contents from #1.
I'm sure this is all subject to terminology debates, and I'm most likely
not using the optimal words to describe the process, but my point was
just that the recipient actually never themselves reveals to the attacker
any of the decrypted contents of the original message that were sent by
the original sender.
>> ----- Original Message -----
>> From: Daniel Kahn Gillmor <dkg at>
>> Sent: Friday, March 2, 2012 8:50 AM
>> Subject: Re: small security glitches
>> That said, the attack described does indeed rely on the victim
>> decrypting arbitrary text sent by the attacker and sending it back in
>> such a way that the attacker can read the cleartext.  Quoting the paper:
>> >> and the user is presented with the corresponding message P'. To the 
>> >> user, P' appears to be garbled; the user therefore replies to the
>> >> adversary with, for example, "What were you trying to send me?", but
>> >> also quotes the "garbled" message P'. Thus, the user himself
>> >> unwittingly acts as a decryption oracle for the adversary.
>> Do you see how the above suggests that the victim must transfer the
>> (apparently-garbled) cleartext to the attacker for the attack to proceed?

More information about the Gnupg-users mailing list