Re: Anybody know details about Schneier's "flaw"?
pgut001@cs.auckland.ac.nz (Peter Gutmann) Mon, 19 August 2002 11:37 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA28548 for <openpgp-archive@lists.ietf.org>; Mon, 19 Aug 2002 07:37:25 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7JBU0F19339 for ietf-openpgp-bks; Mon, 19 Aug 2002 04:30:00 -0700 (PDT)
Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7JBTvw19333 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 04:29:58 -0700 (PDT)
Received: from ruru.cs.auckland.ac.nz (ruru-nfs.cs.auckland.ac.nz [130.216.35.12]) by hermes.cs.auckland.ac.nz (8.12.4/8.12.4) with ESMTP id g7JBTX8W008198; Mon, 19 Aug 2002 23:29:33 +1200
Received: (from pgut001@localhost) by ruru.cs.auckland.ac.nz (8.9.3/8.8.6/cs-slave) id XAA214939; Mon, 19 Aug 2002 23:29:30 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Date: Mon, 19 Aug 2002 23:29:30 +1200
Message-ID: <200208191129.XAA214939@ruru.cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz
To: Dominikus.Scherkl@glueckkanja.com, ietf-openpgp@imc.org
Subject: Re: Anybody know details about Schneier's "flaw"?
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
"Dominikus Scherkl" <Dominikus.Scherkl@glueckkanja.com> writes: >The whole attack looks very suspicious to me... On the grand scale of things, it has curiosity value, but not much more. There are a pile of other attacks which fall into the same class, e.g. concern over the Bleichenbacher attack on SSL being used against S/MIME email (come to think of it, that one never came up on open-pgp). My thoughts on this at the time, which also apply to this attack, were: -- Snip -- [...] this attack requires that an attacker send you around a million pieces of CMS encrypted email with attached receipt requests, that you respond with a million receipts indicating to the attacker the exact details of why the decrypt failed, that you reuse the same per-message key for each of those million messages. Now maybe I'm being a bit optimistic here, but I do think that claiming this is a weakness is a pretty silly. First of all you need to assume that an attacker can somehow send you a million pieces of email without you noticing and without it getting stopped by spam blockers. Your own software then has to try to decrypt each of the one million pieces of email, find that it can't, and send out a receipt to the sender containing an indication of exactly how the decryption failed (this isn't possible even if you wanted to do it, although who knows what the Receipt Notification WG have been working on recently). Finally, the whole attack only works if you reuse cryptovariables. This is why the CERT advisory on this problem specifically points out "This vulnerability does not affect S/MIME or SET". As a security threat, I'd say this rates somewhere down with "Router hit by meteorite", "Computer trampled by stampeding water buffalo", "Hard drive kidnapped by space aliens", and similar stuff. Sure, it is in theory possible, if you try really, really hard and are willing to bend over backwards to cooperate with an attacker, to allow this kind of attack to occur. [...] You're more likely to get someone's key by asking them for it (I've seen this happen a number of times, in some cases without even needing to ask for it, by people who assume that "PKCS #12 == certificate" and send out their "certificate" for others to use) than by using this kind of attack. Just because it's (theoretically) possible to break into Fort Knox with a can opener doesn't mean that Kentucky is going to start screening people at the border for possession of said item. -- Snip -- A better way of putting that last sentence is given in one of my favourite computing quotes, by Chris Strachey: "The fact that it's possible to push a pea up a mountain with your nose doesn't mean that this is a sensible way of getting it there". Peter.
- Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Marc Mutz
- Re: Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Jon Callas
- Re: Anybody know details about Schneier's "flaw"? Lutz Donnerhacke
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Adam Back
- Re: Anybody know details about Schneier's "flaw"? Carl Ellison
- Re: Anybody know details about Schneier's "flaw"? Dominikus Scherkl
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? Werner Koch
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? David Hopwood
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann