Oracle behavior in Gnupg? // (was 'possible bug in gpg?')
vedaal at nym.hush.com
vedaal at nym.hush.com
Mon Jul 30 16:45:19 CEST 2012
While playing around with --override-session key , have noticed
that gpg gives many different sets of error messages when trying
out different session keys.
Here is an interesting example:
First, the gnupg encrypted text:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: encrypted to my default public key
hQIMA1BvT6HTX7GGAQ/+KUw1RNONlmWW/RvNzAlZmS4cOUm7ioVnJc8kgtSgnBbS
k952Lb6x5VaUyUbvXoNTeEdQGF1wJrDnV8Oz6VwqG/ZrlnUGOEFlGS9Mr2RZiktV
eqG7jUFWnD9yyedbWqFJv9MND7QlAuZ1uikKPfATjrGWq+fkqb1bFAT0745BEaOL
7VQ988rUsjf7TrS0+NIIA5qjLZeS49vaUY/ZDqeVsaliweTkegBzhWftpMz4dDpE
CxcAEZmEs4sleJq9BE0K/3A1U/1KDtzaYYRcsNFsIR6o3HhQyQ52zpmHwKY7WWc2
4ezMldyrcUGG7XSNGn2bkyIOfJmg7/1SJbpAjv6BjkH5G1IBY8R/ai4Lis58yeSr
6CbXDhQgowMRB1IH562SCSJyQIyu/GV+U5FBOOLkhWmqQjaNXP2LBgioMiyuBzsg
gyY+rDHX4R4iql7oLflPPQVGZWjtAYw4Q96Iv2HzCZH7Q3H4LRONAk1woQjyT3as
xKyxHNtqBhHfenTNep0ymeExYtcIsKYxLPj4WLRQ90rrOr1zY+N2eaWfDtIcEiAI
Fgf20sHePnFm+EqwQQF3MrdhHFWdQzX+BuXDHJ+maRWWeXNNMjSAF3LjP2i027zT
GglSUQOtRG7WGepM5sp2nNe+rfsCyHC3lIlujPHZ/LsdOi2IWeKKjOwUnfrp1LHS
SAE9acMxZ2laREHDcIX2N5GdtdYp3EoS/1mMIeKEN+i2PuSaX8Xq6ToexVfpRvcs
Mi6vGoldgMiOHN06g81oJdI4QYuQfudbEw==
=x/RS
-----END PGP MESSAGE-----
here is the REAL session key:
10:A57B66F81B20273C587619AEA4C839D376DF50D23C946E97FB290D01CE
9E1F8D
-----
Here is a 'starting' trial session key
(chosen as a start as it's easy to describe and keep track of the
changes)
10:123456789a123456789b123456789c123456789d123456789e123456789f1234
Here is the gpg output:
gpg --override-session-key 10:123456789a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
length: 72
mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
"vedaal nistar (previous addresses were spam flooded)
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: [don't know]: invalid packet (ctb=37)
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
gpg: onepass_sig with unknown version 146
-----
Here is the session key with the REAL first 4 characters of the
session key:
10:A57B56789a123456789b123456789c123456789d123456789e123456789f1234
Here is the gpg output:
gpg --override-session-key 10:A57B56789a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
length: 72
mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
"vedaal nistar (previous addresses were spam flooded)
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
:unknown packet: type 50, length 152
dump: 36 53 de 6e 59 4d d2 0f f4 09 98 87 31 bc a9 3c 1e fd 11 8a
ae 92 5e 14
24: b8 d4 64 f5 be EOF
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
-----
Have not tried all the 2^16 possiblities for the first 4
characters, but the few that I have tried lead to the same error
message as the first trial.
Could this be Oracle behavior on Gnupg's part, leading to a leak of
the first 4 characters of the session key?
fwiw,
This doesn't extend to finding out the next 4 real characters of
the session key.
Here is the gpg output when the first 8 real characters are used:
gpg --override-session-key 10:A57B66F89a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
length: 72
mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
"vedaal nistar (previous addresses were spam flooded)
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
----
Here is the gpg output when only the 2nd real 4 characters are
used:
gpg --override-session-key 10:123466F89a123456789b123456
789c123456789d123456789e123456789f1234 e:\jt1.txt.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.12 (MingW32)
gpg: armor header: Comment: encrypted to my default public key
:pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186
data: [4094 bits]
gpg: public key is D35FB186
gpg: public key encrypted data: good DEK
:encrypted data packet:
length: 72
mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-
22
"vedaal nistar (previous addresses were spam flooded)
<vedaal at nym.hush.com
>"
gpg: TWOFISH encrypted data
gpg: [don't know]: invalid packet (ctb=32)
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
Borh examples give error messages identical to the first one,
except that when the first 8 real characters are used, the error
message of 'gpg: [don't know]: invalid packet (ctb=37)' is not
present,
and when the second real 4 characters are used, there is a
'different' error message of 'gpg: [don't know]: invalid packet
(ctb=32)'.
Anything real about the 'oracle' action in any of this ?
vedaal
More information about the Gnupg-users
mailing list