How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
aarcane at aarcane.org
Fri Nov 21 19:00:19 CET 2014
So to summarize, the best way to try this attack would be to encrypt lots
of small messages to a dummy key and a target key because the only knowable
plaintext is the session key. However, there's no known or reasonably
suspected method of plaintext attack anyway, so all this data is believed
to be a waste. Correct me if I'm wrong, and thank you all for the prompt
and consistent replies
On Nov 21, 2014 7:59 AM, <vedaal at nym.hush.com> wrote:
> On 11/21/2014 at 4:57 AM, "Christ Schlacta" <aarcane at aarcane.org> wrote:
> >how much information does GPG reveal in such situations?
> GnuPG works by using hybrid encryption:
>  The plaintext is converted to ciphertext using a block cipher, with
> GnuPG generating a random session key for the encryption
>  The random session key is then encrypted to the recipient's public key.
>  The recipient uses the private key to recover the session key in ,
> which is then used to decrypt the plaintext in .
> No amount of plaintext and ciphertext reveal anything about the
> recipient's *Private* key.
> (The recipient's public key is usually *public* and known already).
> That said,
> Any attacker can simultaneously encrypt to a 'Target' public key, and to
> the Attacker's own public key.
> The Attacker can then recover the session key by decrypting with the
> Attacker's private key.
> This 'session key' is the only thing that can be used as the "plaintext"
> that is encrypted to the Target's public key.
> An attacker now knows:
> (a) The *ciphertext*, which is the session key encrypted to the Target's
> public key.
> (b) *PART* of the *plaintext*, which is the session key, since it was
> encrypted to the attacker's public key.
> (It is only *part* because the session key is padded with a *different*
> padding for each key to which it is encrypted,
> even when the same session key is simultaneous encrypted to different
> public keys.)
> (c) The Target's Public key.
> The Attacker can generate an unlimited amount of messages in this way.
> Using this information the attacker now wants to find/reconstruct the
> Target's Private key.
> I don't know that much about attacking RSA Key Pairs in trying to find
> the Private Key, (other than factoring the modulus),
> but suffice it to say, that in the over 20 years that RSA has been around
> and many different attacks have been tried,
> *this* type of attack has not seemed feasible enough for anyone to try.
> Short summary,
> No useful information can be gleaned.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users