Re: Anybody know details about Schneier's "flaw"?

pgut001@cs.auckland.ac.nz (Peter Gutmann) Mon, 19 August 2002 11:37 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA28548 for <openpgp-archive@lists.ietf.org>; Mon, 19 Aug 2002 07:37:25 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7JBU0F19339 for ietf-openpgp-bks; Mon, 19 Aug 2002 04:30:00 -0700 (PDT)
Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7JBTvw19333 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 04:29:58 -0700 (PDT)
Received: from ruru.cs.auckland.ac.nz (ruru-nfs.cs.auckland.ac.nz [130.216.35.12]) by hermes.cs.auckland.ac.nz (8.12.4/8.12.4) with ESMTP id g7JBTX8W008198; Mon, 19 Aug 2002 23:29:33 +1200
Received: (from pgut001@localhost) by ruru.cs.auckland.ac.nz (8.9.3/8.8.6/cs-slave) id XAA214939; Mon, 19 Aug 2002 23:29:30 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Date: Mon, 19 Aug 2002 23:29:30 +1200 (NZST)
Message-ID: <200208191129.XAA214939@ruru.cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: Dominikus.Scherkl@glueckkanja.com, ietf-openpgp@imc.org
Subject: Re: Anybody know details about Schneier's "flaw"?
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

"Dominikus Scherkl" <Dominikus.Scherkl@glueckkanja.com> writes:

>The whole attack looks very suspicious to me...

On the grand scale of things, it has curiosity value, but not much more.  There
are a pile of other attacks which fall into the same class, e.g. concern over
the Bleichenbacher attack on SSL being used against S/MIME email (come to think
of it, that one never came up on open-pgp).  My thoughts on this at the time,
which also apply to this attack, were:

-- Snip --

  [...] this attack requires that an attacker send you around a million pieces
  of CMS encrypted email with attached receipt requests, that you respond with
  a million receipts indicating to the attacker the exact details of why the
  decrypt failed, that you reuse the same per-message key for each of those
  million messages.

  Now maybe I'm being a bit optimistic here, but I do think that claiming this
  is a weakness is a pretty silly.  First of all you need to assume that an
  attacker can somehow send you a million pieces of email without you noticing
  and without it getting stopped by spam blockers.  Your own software then has
  to try to decrypt each of the one million pieces of email, find that it
  can't, and send out a receipt to the sender containing an indication of
  exactly how the decryption failed (this isn't possible even if you wanted to
  do it, although who knows what the Receipt Notification WG have been working
  on recently).  Finally, the whole attack only works if you reuse
  cryptovariables.  This is why the CERT advisory on this problem specifically
  points out "This vulnerability does not affect S/MIME or SET".

  As a security threat, I'd say this rates somewhere down with "Router hit by
  meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
  kidnapped by space aliens", and similar stuff.

Sure, it is in theory possible, if you try really, really hard and are willing
to bend over backwards to cooperate with an attacker, to allow this kind of
attack to occur.  [...]  You're more likely to get someone's key by asking them
for it (I've seen this happen a number of times, in some cases without even
needing to ask for it, by people who assume that "PKCS #12 == certificate" and
send out their "certificate" for others to use) than by using this kind of
attack.

Just because it's (theoretically) possible to break into Fort Knox with a can
opener doesn't mean that Kentucky is going to start screening people at the
border for possession of said item.

-- Snip --

A better way of putting that last sentence is given in one of my favourite
computing quotes, by Chris Strachey:

  "The fact that it's possible to push a pea up a mountain with your nose
   doesn't mean that this is a sensible way of getting it there".

Peter.