pgpfan:oracle
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
pgpfan:oracle [2022/09/25 12:03] – Clearer. b.walzer | pgpfan:oracle [2022/11/07 21:35] (current) – Address oracle in standard b.walzer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ======Oracle Attack Immunity====== | + | ======Oracle Attack Immunity====== |
An [[https:// | An [[https:// | ||
Line 9: | Line 9: | ||
This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application but this is a common source of confusion. It is often incorrectly assumed that oracle attacks applicable to online, connection oriented media are also relevant for the offline, non-connection oriented media where PGP is used. | This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application but this is a common source of confusion. It is often incorrectly assumed that oracle attacks applicable to online, connection oriented media are also relevant for the offline, non-connection oriented media where PGP is used. | ||
- | [[pgpfan: | + | =====But there is a reference to an oracle attack right in the OpenPGP standard!===== |
- | [[em: | + | |
+ | Why yes, there is. See: [[https:// | ||
+ | |||
+ | The OpenPGP standard has a feature to allow a user to be informed that they have entered the wrong key. Using the GnuPG command line oriented OpenPGP implementation as an example this is what that would look like: | ||
+ | |||
+ | ┌──────────────────────────────────────────────────────┐ | ||
+ | │ Please enter the passphrase for decryption. | ||
+ | │ │ | ||
+ | │ Passphrase: ******************************__________ │ | ||
+ | │ │ | ||
+ | │ < | ||
+ | └──────────────────────────────────────────────────────┘ | ||
+ | |||
+ | gpg: decryption failed: Bad session key | ||
+ | |||
+ | I can't help remarking in passing that there is a minor usability issue here. The user was asked to enter something called a " | ||
+ | |||
+ | gpg: WARNING: encrypted message has been manipulated! | ||
+ | |||
+ | ... which is actively misleading and provides the user no idea of what to do next. So the passphrase check is an important and required feature. | ||
+ | |||
+ | This is what normal PGP usage looks like: | ||
+ | |||
+ | {{oracle1.svg}} | ||
+ | |||
+ | First the sender and receiver agree on a key somehow. Then the sender uses that key to encrypt a message/ | ||
+ | |||
+ | The passphrase check is based on the unencrypted data. Generally, in such a case it might be possible to learn things about the unencrypted data with some sort of oracle attack. The paper shows that this is possible. | ||
+ | |||
+ | So what do we need to set up this oracle? If we give the attacker direct access to the decryption program then we would have to give them access to the key so they could use it. Giving the attacker access to the key would make the oracle pointless; the attacker would just use the key to decrypt the entire thing. | ||
+ | |||
+ | The result looks like this for " | ||
+ | |||
+ | {{oracle2.svg}} | ||
+ | |||
+ | The actual attack looks like this: | ||
+ | |||
+ | {{oracle3.svg}} | ||
+ | |||
+ | The " | ||
+ | |||
+ | I would like to draw attention to the question of how the receiver knows how to send the passphrase error to the sender. Obviously as part of the protocol/ | ||
+ | |||
+ | I am claiming in this article that the offline non-connection oriented media that OpenPGP is used with are inherently immune to oracle attacks. This attack, if anything, supports my point by showing that it would be necessary to go to some significant amount of trouble to create a connection to make the attack work. It seems fairly obvious that it is unlikely that this would be done accidentally. | ||
+ | |||
+ | Note that this is an attack against the behaviour of particular OpenPGP implementations when used in unexpected ways, not the OpenPGP standard itself. If someone really wanted to use OpenPGP messages for a online connection oriented medium, OpenPGP provides a simple but effective [[pgpfan: | ||
+ | |||
+ | There are other error conditions that could potentially be used to leak information about the unencrypted message using this sort of oracle. Examples: | ||
+ | |||
+ | * Data compression errors. | ||
+ | * Packet structure errors. | ||
+ | * Incorrect packet length. | ||
+ | * Unexpected packet order. | ||
+ | * Unexpected message length. | ||
+ | |||
+ | The same discussion applies... | ||
+ | |||
+ | [[pgpfan: | ||
+ | [[em: | ||
[[: | [[: | ||
pgpfan/oracle.txt · Last modified: 2022/11/07 21:35 by b.walzer