How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
I know some encryption schemes reveal more information about the keys used when an attacker has both the plaintext and the ciphertext. In general, how much information does GPG reveal in such situations? How much plaintext/ciphertext matched data would an attacker need (An order of magnitude is fine) before being able to reverse enough of the key to be meaningful on fairly modern computers? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
Am 21.11.2014 um 10:57 schrieb Schlacta, Christ: I know some encryption schemes reveal more information about the keys used when an attacker has both the plaintext and the ciphertext. In general, how much information does GPG reveal in such situations? Short answer: Thats no problem. google e.g.: plain text attacks on gnupg site:gnupg.org Greetings Martin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
I know some encryption schemes reveal more information about the keys used when an attacker has both the plaintext and the ciphertext. In general, how much information does GPG reveal in such situations? Virtually none. How much plaintext/ciphertext matched data would an attacker need (An order of magnitude is fine) before being able to reverse enough of the key to be meaningful on fairly modern computers? Enough to make it far, *far* more cost-effective to resort to other methods to recover your key. Just buying the hard drives alone would exhaust the budgets of large corporations. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
On 11/21/2014 at 4:57 AM, Christ Schlacta aarc...@aarcane.org wrote: how much information does GPG reveal in such situations? = GnuPG works by using hybrid encryption: [1] The plaintext is converted to ciphertext using a block cipher, with GnuPG generating a random session key for the encryption [2] The random session key is then encrypted to the recipient's public key. [3] The recipient uses the private key to recover the session key in [2], which is then used to decrypt the plaintext in [1]. No amount of plaintext and ciphertext reveal anything about the recipient's *Private* key. (The recipient's public key is usually *public* and known already). That said, Any attacker can simultaneously encrypt to a 'Target' public key, and to the Attacker's own public key. The Attacker can then recover the session key by decrypting with the Attacker's private key. This 'session key' is the only thing that can be used as the plaintext that is encrypted to the Target's public key. An attacker now knows: (a) The *ciphertext*, which is the session key encrypted to the Target's public key. (b) *PART* of the *plaintext*, which is the session key, since it was encrypted to the attacker's public key. (It is only *part* because the session key is padded with a *different* padding for each key to which it is encrypted, even when the same session key is simultaneous encrypted to different public keys.) (c) The Target's Public key. The Attacker can generate an unlimited amount of messages in this way. Using this information the attacker now wants to find/reconstruct the Target's Private key. I don't know that much about attacking RSA Key Pairs in trying to find the Private Key, (other than factoring the modulus), but suffice it to say, that in the over 20 years that RSA has been around and many different attacks have been tried, *this* type of attack has not seemed feasible enough for anyone to try. So, Short summary, No useful information can be gleaned. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
So to summarize, the best way to try this attack would be to encrypt lots of small messages to a dummy key and a target key because the only knowable plaintext is the session key. However, there's no known or reasonably suspected method of plaintext attack anyway, so all this data is believed to be a waste. Correct me if I'm wrong, and thank you all for the prompt and consistent replies On Nov 21, 2014 7:59 AM, ved...@nym.hush.com wrote: On 11/21/2014 at 4:57 AM, Christ Schlacta aarc...@aarcane.org wrote: how much information does GPG reveal in such situations? = GnuPG works by using hybrid encryption: [1] The plaintext is converted to ciphertext using a block cipher, with GnuPG generating a random session key for the encryption [2] The random session key is then encrypted to the recipient's public key. [3] The recipient uses the private key to recover the session key in [2], which is then used to decrypt the plaintext in [1]. No amount of plaintext and ciphertext reveal anything about the recipient's *Private* key. (The recipient's public key is usually *public* and known already). That said, Any attacker can simultaneously encrypt to a 'Target' public key, and to the Attacker's own public key. The Attacker can then recover the session key by decrypting with the Attacker's private key. This 'session key' is the only thing that can be used as the plaintext that is encrypted to the Target's public key. An attacker now knows: (a) The *ciphertext*, which is the session key encrypted to the Target's public key. (b) *PART* of the *plaintext*, which is the session key, since it was encrypted to the attacker's public key. (It is only *part* because the session key is padded with a *different* padding for each key to which it is encrypted, even when the same session key is simultaneous encrypted to different public keys.) (c) The Target's Public key. The Attacker can generate an unlimited amount of messages in this way. Using this information the attacker now wants to find/reconstruct the Target's Private key. I don't know that much about attacking RSA Key Pairs in trying to find the Private Key, (other than factoring the modulus), but suffice it to say, that in the over 20 years that RSA has been around and many different attacks have been tried, *this* type of attack has not seemed feasible enough for anyone to try. So, Short summary, No useful information can be gleaned. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?
On 11/21/2014 at 1:01 PM, Christ Schlacta aarc...@aarcane.org wrote: So to summarize, the best way to try this attack would be to encrypt lots of small messages to a dummy key and a target key because the only knowable plaintext is the session key. However, there's no known or reasonably suspected method of plaintext attack anyway, so all this data is believed to be a waste. = Correct. You could (more efficiently) isolate the Public GnuPG key as an RSA Public key, and use an implementation of RSA that does not use padding, and try all the plaintexts and known resulting ciphertexts, and still not construct the RSA Private key. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users