how vulnerable is "hidden-encrypt-to"

Jens Lechtenboerger cloudpg at informationelle-selbstbestimmung-im-internet.de
Tue Aug 21 17:56:10 CEST 2012


On Mo, Aug 20 2012, vedaal at nym.hush.com wrote:

> On Mon, 20 Aug 2012 13:57:41 -0400 Jens Lechtenboerger
> <cloudpg at informationelle-selbstbestimmung-im-internet.de> wrote:
>
>>In contrast, I interpreted the original question in terms of
>>recipient anonymity: Bob wants to encrypt a message to some
>>undisclosed list of recipients (say, including Alice and Eve), and
>>nobody should be able to figure out who (else) is on the list.
>>Clearly, the fact whether I can decrypt the message tells me
>>whether I'm on the list or not; however, I should not be able to
>>learn more than that.  In particular, I should not be able to
>>identify any other recipient.
>
> The simplest way to do that is to send the message encrypted to
> only one recipient at a time.

That's correct, but severely restricted.

> Now, if the sender *wanted* to mislead, she could, in addition to
> sending encrypted messages to the 'real' people she wanted to send
> to, she could also use hidden-encrypt to anyone else's public key,
> and send people on a wild chase of trying to see who else it was
> encrypted to.

I'm not convinced.  First, I don't want to enable lots of
unnecessary parties to read those messages.  Second, I may be
interested in real protection, not just in having fun with false
traces.

>>In that situation, my previous posting was meant to suggest that
>>Eve (if she has access to the public RSA key of Alice used by Bob)
>>will be able to figure out that the message was also encrypted to
>>Alice.
>
> =====
>
> I'm not sure about this.
>
> The way RSA works, is that the session key has *padding* added
> before it is encrypted to a public key.  It may even have
> *different* padding for each public key it is encrypted to in the
> same gnupg command.  (Maybe those who really know about this,
> could comment if the padding is the same or different for each
> public key RSA encrypted packet in one encrypted gnupg message).
>
> If so, and there is different padding, then you will not be able
> to determine whose key it is just by trying to re-encrypt the
> session key to a trial list of public keys, and comparing the
> ciphertext.

Also, "different" would need to be random and of sufficient
length...

> Even if it is not so, (i.e. that there is no 'different' padding),
> it will not be easy for an average user to re-encrypt, as (afaik),
> gnupg doesn't list the padding upon decryption.
>  
> (It could be done though, by decrypting that packet directly with
> RSA tools, but probably not by the averaqe user :-) ...  )

I'm not concerned whether the average user can do this right now or
not.  I'm concerned about experts (that could also provide attack
tools to average users).

Many thanks for your input!
Jens



More information about the Gnupg-users mailing list