IETF Logo Mail Archive

Re: Chosen-ciphertext attack on receiver anonymity

Brent Waters <bwaters@theory.stanford.edu> Tue, 05 July 2005 05:11 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DpfiX-0005KY-Vz for openpgp-archive@megatron.ietf.org; Tue, 05 Jul 2005 01:11:34 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA19736 for <openpgp-archive@lists.ietf.org>; Tue, 5 Jul 2005 01:11:33 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j654o0Dr066940; Mon, 4 Jul 2005 21:50:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j654o0hK066939; Mon, 4 Jul 2005 21:50:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from agp.stanford.edu (agp.Stanford.EDU [171.67.73.10]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j654nviq066924 for <ietf-openpgp@imc.org>; Mon, 4 Jul 2005 21:49:57 -0700 (PDT) (envelope-from bwaters@theory.stanford.edu)
Received: from theory.stanford.edu ([171.64.78.10]) by agp.stanford.edu with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.43) id 1DpfNY-0006h1-4j for ietf-openpgp@imc.org; Mon, 04 Jul 2005 21:49:52 -0700
Received: from mail by theory.Stanford.EDU with spam-scanned (Exim 4.30) id 1DpfNT-00065f-VZ for ietf-openpgp@imc.org; Mon, 04 Jul 2005 21:49:51 -0700
Received: from cipher.stanford.edu ([171.64.78.146]) by theory.Stanford.EDU with esmtp (TLSv1:AES256-SHA:256) (Exim 4.30) id 1DpfNS-00065G-Bc; Mon, 04 Jul 2005 21:49:46 -0700
Received: from cipher.Stanford.EDU (localhost.localdomain [127.0.0.1]) by cipher.Stanford.EDU (8.12.11/8.12.8) with ESMTP id j654nkvY026593; Mon, 4 Jul 2005 21:49:46 -0700
Received: from localhost (bwaters@localhost) by cipher.Stanford.EDU (8.12.11/8.12.11/Submit) with ESMTP id j654njMU026590; Mon, 4 Jul 2005 21:49:45 -0700
Date: Mon, 04 Jul 2005 21:49:45 -0700
From: Brent Waters <bwaters@theory.stanford.edu>
To: Hal Finney <hal@finney.org>
cc: ietf-openpgp@imc.org, pgut001@cs.auckland.ac.nz
Subject: Re: Chosen-ciphertext attack on receiver anonymity
In-Reply-To: <20050704235900.A6B6557E8D@finney.org>
Message-ID: <Pine.LNX.4.62.0507042118010.25961@cipher.Stanford.EDU>
References: <20050704235900.A6B6557E8D@finney.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Scan-Signature: b0d2d5ababd8fe43140185de29a9e1cb
X-Spam-Checker-Version: SpamAssassin 3.0.2-cs-csdcf (2004-11-16) on cs-smtp-2.Stanford.EDU
X-Spam-Status: No, score=-104.9 required=7.0 tests=BAYES_00,SPF_HELO_PASS, USER_IN_WHITELIST autolearn=no version=3.0.2-cs-csdcf
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

> I'm not familiar with this term "throw-keyid".  We don't use it in
> RFC2440-bis as far as I know.  I think however that you are referring
> to this feature discussed in section 5.1:
>
>   An implementation MAY accept or use a Key ID of zero as a "wild
>   card" or "speculative" Key ID. In this case, the receiving
>   implementation would try all available private keys, checking for a
>   valid decrypted session key. This format helps reduce traffic
>   analysis of messages.
As Peter pointed out, I was using GNUPG command-line terminology. However, 
it seems we are talking about the same thing.

> That does seem to be a valid attack against the anonymity.  However
> you should be aware that OpenPGP is not trying to provide very strong
> anonymity here.  No effort is made to obfuscate the key size, for example,
> so unusually sized keys tend to reveal themselves.  All the RFC phrasing
> suggests or claims is that it can "help reduce" traffic analysis.
>
> If we really wanted to guarantee strong anonymity I think we would have
> to do quite a bit more work here.  Your attack is definitely something
> to consider.  However, strong anonymity is not something we have aimed
> to provide.
>
> Given the weak level of anonymity it affords, perhaps the zero keyid
> feature is misleading to users?  If so, should we consider deprecating
> it until we are willing to do the work necessary to do the job right?
> Or we could at least put a note in the RFC emphasizing that this feature
> does not provide strong anonymity and should not be relied upon for
> that purpose.

Yes, there are certainly other issues in anonymity. Even if two keys are 
the same number of bits there could be attacks. E.g. If 110000001 and 
100000001 were both primes used for different ElGamal keys and adversary 
would still have a significant advantage in distinguishing the receiver. 
Having common ElGamal NIST primes would take care of this and have the 
small benefit of faster key generation. This is discussed in a Bellare 
paper: http://www-cse.ucsd.edu/users/mihir/papers/anonenc.html .
The thing unique about the attack I described is that no one has 
considered a definition "Key-Privacy" in the multiple recipient 
case. However, I believe a solution from "commodity parts" can be made.

As far as whether it is a problem, I believe that Hushmail uses such 
feature to implement BCC functionality. Also, I PGP is used in some other 
contexts such as newsgroups like alt.anonymous. In short it seems that 
some applications might rely on the feature whether it was intended to be 
strong or not.

In the short term it might help to serve notice in some way. 
Perhaps a note of the RFC would be good. While there does seems to be a 
bit of work to do, it seems feasible to implement the feature properly. 
My opinion is that eventually it would probably be best to either provide 
the feature fully or remove it. Which one to do probably depends on what 
goals of PGP are.

-Brent

v2.23.0 | Report a Bug | By Email