The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


Oracle Attack Immunity

An oracle attack is a powerful technique used to discover information about the internal state of some system. The system is tested in some way, usually repetitively, and the response is analyzed.

My single point here is that when PGP is used in a unidirectional application like email, oracle attacks are impossible simply because there is no response available. I suppose in theory the attacker could try to get the recipient to manually send back the error messages, but that would only cause the sort of confusion that would not advance anything. A successful attack that depended on the actions of the users would involve social engineering at a high enough level to make messing around with the cryptography unnecessary. The desired information could be obtained directly from the users.

This immunity to oracle attacks comes from the simplicity of PGP. There are no low level automated subsystems to interact with. You are always interacting with a person.

This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application. Sometimes the name of a particular attack is matched to the name of a particular encryption method without checking for the prerequisites that could make that attack possible. This is common for the case of oracle attacks.

PGP FAN index

pgpfan/oracle.txt ยท Last modified: 2020/08/22 18:21 by b.walzer