How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
vedaal at nym.hush.com
vedaal at nym.hush.com
Fri Nov 21 16:56:51 CET 2014
On 11/21/2014 at 4:57 AM, "Christ Schlacta" <aarcane at aarcane.org> wrote:
>how much information does GPG reveal in such situations?
=====
GnuPG works by using hybrid encryption:
[1] The plaintext is converted to ciphertext using a block cipher, with GnuPG generating a random session key for the encryption
[2] The random session key is then encrypted to the recipient's public key.
[3] The recipient uses the private key to recover the session key in [2], which is then used to decrypt the plaintext in [1].
No amount of plaintext and ciphertext reveal anything about the recipient's *Private* key.
(The recipient's public key is usually *public* and known already).
That said,
Any attacker can simultaneously encrypt to a 'Target' public key, and to the Attacker's own public key.
The Attacker can then recover the session key by decrypting with the Attacker's private key.
This 'session key' is the only thing that can be used as the "plaintext" that is encrypted to the Target's public key.
An attacker now knows:
(a) The *ciphertext*, which is the session key encrypted to the Target's public key.
(b) *PART* of the *plaintext*, which is the session key, since it was encrypted to the attacker's public key.
(It is only *part* because the session key is padded with a *different* padding for each key to which it is encrypted,
even when the same session key is simultaneous encrypted to different public keys.)
(c) The Target's Public key.
The Attacker can generate an unlimited amount of messages in this way.
Using this information the attacker now wants to find/reconstruct the Target's Private key.
I don't know that much about attacking RSA Key Pairs in trying to find the Private Key, (other than factoring the modulus),
but suffice it to say, that in the over 20 years that RSA has been around and many different attacks have been tried,
*this* type of attack has not seemed feasible enough for anyone to try.
So,
Short summary,
No useful information can be gleaned.
vedaal
More information about the Gnupg-users
mailing list