IETF Logo Mail Archive

Re: possible new type of pgp plaintext attack ?

john.dlugosz@kodak.com Wed, 21 August 2002 14:47 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA11813 for <openpgp-archive@lists.ietf.org>; Wed, 21 Aug 2002 10:47:37 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7LEc2L16048 for ietf-openpgp-bks; Wed, 21 Aug 2002 07:38:02 -0700 (PDT)
Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7LEc0216037; Wed, 21 Aug 2002 07:38:01 -0700 (PDT)
Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g7LEcTQ13615; Wed, 21 Aug 2002 10:38:29 -0400 (EDT)
To: vedaal@hotmail.com
Cc: ietf-openpgp@imc.org, owner-ietf-openpgp@mail.imc.org
Subject: Re: possible new type of pgp plaintext attack ?
X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000
Message-ID: <OFC90E22E2.95DCA848-ON86256C1C.00500005@kodak.com>
From: john.dlugosz@kodak.com
Date: Wed, 21 Aug 2002 09:37:52 -0500
X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.10 |March 22, 2002) at 08/21/2002 10:37:50 AM, Serialize complete at 08/21/2002 10:37:50 AM
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_alternative 00505F1086256C1C_="
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

No need to go through all the gyrations, since Bob's public key is public 
and known to her.  She can perform chosen plaintext attack on the key all 
she wants, with specialized tools and hardware.  No need to only use known 
session keys for whole messages encrypted by PGP; just run RSA or DSA 
yourself on any chosen material.

It is a fundimental requirement that a public key algorithm be able to 
withstand such an attack.  The existance of a "weak block" would imply 
that the function is not one-way after all.

--John







"vedaal" <vedaal@hotmail.com>
Sent by: owner-ietf-openpgp@mail.imc.org
08-20-2002 04:40 PM

 
        To:     <ietf-openpgp@imc.org>
        cc: 
        Subject:        possible new type of pgp plaintext attack ?



atfer reading the paper on the pgp reply/plaintext attack,  was wondering 
if
there might be an additional way to mount a different type of plaintext
attack,
which is independent of the recipient's reply:

consider:

Alice pgp encrypts a message to Bob, and by default, simultaneously to
herself.

Alice can use gnupg to obtain the session key for the message, by
decrypting the default encrypted message to her own key.

The session key, can now be used as a known plaintext,
the packet of the session key encrypted to Bob's public key, is the
ciphertext,

and Bob's [ private key + passphrase hash ] the unknown, that is sought.


now,

if we assume that:
(a) Alice can use a watered-down implementation of pgp that does not use
'salt'

and

(b) Alice can intentionally use a flawed 'crackable' algorithm to encrypt 
to
Bob's key
{like using an 'experimental algo' in gnupg, but finding/making one that 
is
easily cracked, or trivial to begin with}

then,
is it possible for Alice to retrieve Bob's [private key + passphrase 
hash],
which could then be used to decrypt  other messages encrypted to Bob's key 
?


TIA,

vedaal

v2.23.0 | Report a Bug | By Email