An oracle attack is a powerful technique used to discover information about the internal state of some system. The system is tested in some way, usually repetitively, and the response is analyzed.

My single point here is that when PGP is used in a unidirectional application like email, oracle attacks are impossible simply because there is no response available. I suppose in theory the attacker could try to get the recipient to manually send back the error messages, but that would only cause the sort of confusion that would not advance anything. A successful attack that depended on the actions of the users would involve social engineering at a high enough level to make messing around with the cryptography unnecessary. The desired information could be obtained directly from the users.

This immunity to oracle attacks comes from the simplicity of PGP. There are no low level automated subsystems to interact with. You are always interacting with a person.

This might seem to be a trivial observation and that I am giving PGP credit for something intrinsic to the application but this is a common source of confusion. It is often incorrectly assumed that oracle attacks applicable to online, connection oriented media are also relevant for the offline, non-connection oriented media where PGP is used.

PGP FAN index
Encrypted Messaging index
Home