pgpfan:oracle
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
pgpfan:oracle [2020/08/22 18:21] – social engineering b.walzer | pgpfan:oracle [2022/11/07 21:35] (current) – Address oracle in standard b.walzer | ||
---|---|---|---|
Line 7: | Line 7: | ||
This immunity to oracle attacks comes from the simplicity of PGP. There are no low level automated subsystems to interact with. You are always interacting with a person. | This immunity to oracle attacks comes from the simplicity of PGP. There are no low level automated subsystems to interact with. You are always interacting with a person. | ||
- | This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application. | + | This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application |
+ | |||
+ | =====But there is a reference to an oracle | ||
+ | |||
+ | Why yes, there is. See: [[https:// | ||
+ | |||
+ | The OpenPGP standard has a feature to allow a user to be informed that they have entered | ||
+ | |||
+ | ┌──────────────────────────────────────────────────────┐ | ||
+ | │ Please enter the passphrase for decryption. | ||
+ | │ │ | ||
+ | │ Passphrase: ******************************__________ │ | ||
+ | │ │ | ||
+ | │ < | ||
+ | └──────────────────────────────────────────────────────┘ | ||
+ | |||
+ | gpg: decryption failed: Bad session key | ||
+ | |||
+ | I can't help remarking in passing that there is a minor usability issue here. The user was asked to enter something called a " | ||
+ | |||
+ | gpg: WARNING: encrypted message has been manipulated! | ||
+ | |||
+ | ... which is actively misleading and provides the user no idea of what to do next. So the passphrase check is an important and required feature. | ||
+ | |||
+ | This is what normal PGP usage looks like: | ||
+ | |||
+ | {{oracle1.svg}} | ||
+ | |||
+ | First the sender and receiver agree on a key somehow. Then the sender uses that key to encrypt a message/ | ||
+ | |||
+ | The passphrase check is based on the unencrypted data. Generally, in such a case it might be possible to learn things about the unencrypted data with some sort of oracle attack. The paper shows that this is possible. | ||
+ | |||
+ | So what do we need to set up this oracle? If we give the attacker direct access to the decryption program then we would have to give them access to the key so they could use it. Giving the attacker access to the key would make the oracle pointless; the attacker would just use the key to decrypt the entire thing. | ||
+ | |||
+ | The result looks like this for " | ||
+ | |||
+ | {{oracle2.svg}} | ||
+ | |||
+ | The actual | ||
+ | |||
+ | {{oracle3.svg}} | ||
+ | |||
+ | The " | ||
+ | |||
+ | I would like to draw attention to the question of how the receiver knows how to send the passphrase error to the sender. Obviously as part of the protocol/ | ||
+ | |||
+ | I am claiming in this article that the offline non-connection oriented media that OpenPGP is used with are inherently immune to oracle attacks. This attack, if anything, supports my point by showing that it would be necessary to go to some significant amount of trouble to create a connection to make the attack work. It seems fairly obvious that it is unlikely that this would be done accidentally. | ||
+ | |||
+ | Note that this is an attack against the behaviour of particular OpenPGP implementations when used in unexpected ways, not the OpenPGP standard itself. If someone really wanted to use OpenPGP messages for a online connection oriented medium, OpenPGP provides a simple but effective [[pgpfan: | ||
+ | |||
+ | There are other error conditions that could potentially be used to leak information about the unencrypted message using this sort of oracle. Examples: | ||
+ | |||
+ | * Data compression errors. | ||
+ | * Packet structure errors. | ||
+ | * Incorrect packet length. | ||
+ | * Unexpected packet order. | ||
+ | * Unexpected message length. | ||
+ | |||
+ | The same discussion applies... | ||
[[pgpfan: | [[pgpfan: | ||
+ | [[em: | ||
+ | [[: | ||
pgpfan/oracle.1598120479.txt.gz · Last modified: 2020/08/22 18:21 by b.walzer