Re: Beginner Question:Gnupg Decryption
- From: "vedaal" <vedaal@xxxxxxxxx>
- Date: 26 Mar 2007 07:53:56 -0700
On Mar 26, 1:14 am, "MichiMichi" <wwwm...@xxxxxx> wrote:
That made me think. If one email recipients uses a weak key, other
email recipients could burteforce the message and easily detect weak
passwords.
this could happen, but is not likely,
and, (except for one case listed below), has nothing to do with
passwords
ordinarily a 'weak' key is understood as one whose keylength is small
enough to be brute forced, (i.e. 1024 or less),
and then an attacker could obtain the session key and decrypt the
message
in practice,
the sender *knows* the keysizes of all keys chosen for encryption,
(and gnupg even 'reminds' the sender of this before encrypting)
so the sender would usually not select such a key
what might be a potential problem, is the following:
it is possible to have gnupg encrypt to public keys, and at the same
time,
also encrypt symmetrically
(to a user who doesn't have access to the keyring, or prefers not to
use a public key)
when gnupg does this, the *same* session key is encrypted both to the
public key,
so,
if Bob sends a GnuPG message encrypted to Alice's public key,
and symmetrically to Eve, using a passphrase that both Bob and Eve
have agreed upon beforehand,
then
it may be possible (but not 'easy' ), for Alice to recover this
passphrase,
as she has the session key and the ciphertext,
(but not the salt )
vedaal
.
- References:
- Beginner Question:Gnupg Decryption
- From: MichiMichi
- Beginner Question:Gnupg Decryption
- Prev by Date: The: It Is nOT Torture KEy System
- Next by Date: Re: NegativeEntrophy
- Previous by thread: Re: Beginner Question:Gnupg Decryption
- Next by thread: Re: Beginner Question:Gnupg Decryption
- Index(es):
Relevant Pages
|
