Unusual (unintended?) behavor upon decryption of a message

vedaal at nym.hush.com vedaal at nym.hush.com
Tue Nov 19 22:37:53 CET 2013

On Tuesday, November 19, 2013 at 3:02 PM, "Peter Lebbing" <peter at digitalbrains.com> wrote:
>On 19/11/13 18:14, vedaal at nym.hush.com wrote:
>> Why does gnupg give these types of error message, as opposed to 
>> stating  'decryption failed: bad passphrase' ??
>> What kind of relationship is there between the number listed for 
>> 'unknown algorithm' and the passphrase string that was given
>The passphrase is used to decrypt the concatenation of an octet 
>what cipher was used for the symmetrically-encrypted data packet 
>and the key
>for that data packet. If you give the wrong passphrase, this comes 
>out as
>random rubbish, and that first octet specifying the cipher for the 
>data is
>rubbish as well. This is what GnuPG reports. There is no check if 
>decryption was succesful; it just results in garbage. After a few 
>tens of
>tries, I suppose you can actually hit the case where the algorithm
>identifier is something usable, and GnuPG will probably try to 
>decrypt the
>data packet with the rubbish it got from the symmetrically 
>encrypted session
>key packet :).

>There are potentially two symmetric ciphers at play, one to encrypt the
>session key, and one to encrypt the data.


But this isn't the way hybrid gnupg messages work.

If a message is encrypted to two different keys,
gnupg will use the same symmetric algorithm to encrypt the session key to the public key, and also the plaintext to the ciphertext.

If the message is encrypted to one public key, and also encrypted symmetrically instead of to a second public key, then the symmetric algorithm used by gnupg is the same for the encryption of the session key to the public key, as well as the session key to the symmetrically encrypted part, as well as the encryption of the plaintext.

Gnupg does not use one symmetric algorithm to encrypt the session key, and then another to encrypt the message.
The user can choose 'which' symmetric algorithm to use, but it will be the same for both.

The symmetric algorithm is known, and is discoverable from gpg list-packets or from pgp-dump.

My question is, is there oracle behavior on gnupg's part which will allow an attack on the string-to-key part of the symmetric encryption?

If an attacker knows which symmetric algorithm was used, then concentrating of the first few characters of the passphrase, and trying variations of those, until gnupg identifies the correct algorithm, 
then gnupg may 'leak' the first few characters of the passphrase when the correct algorithm is identified, even if the message is not yet decrypted.

More information about the Gnupg-users mailing list