TriNetre - Archive for February 11, 2005

(no longer updated)

Serge Mister and Robert Zuccherato from Entrust released a paper outlining an attack on the way OpenPGP does symmetric cryptography. While the attack is not practical when used against human beings, it could result in some data leak when used against an automated system. As outlined in PGP Corporation's CTO corner:

If someone starts sending me lots of bogus emails in the hope that I'll let them know which ones pass the quick check and which don't, they sorely overestimate my patience and underestimate the size of my to-do list. I'll get tired long before they get to a dozen of these messages, let alone the 30,000+ typically needed (or 65,536 needed to guarantee the success). The same is probably true for you, too.
...
Also remember that the attack requires the participation of someone who has the key to the message under attack. If someone finds a discarded OpenPGP-encrypted file (or intercepts an email), that person cannot attack the message by itself. Instead, the attacker must persuade an entity that can decrypt the message to leak information about damaged copies of it. Consequently, your files and emails are safe unless you're somehow conned into being an oracle.

If you are into these sort of stuff, the paper makes for interesting reading.