A security bug in PGP products?

Travis H. solinym at gmail.com
Mon Aug 28 22:36:11 EDT 2006

On 8/23/06, Dave Korn <dave.korn at artimi.com> wrote:
>   Given that, whatever passphrase you use, you will decrypt the EDK block and
> get /something/ that looks like a key, this comparison of hashes is a sanity
> test.  If you bypass it but enter the wrong passphrase, you'll get an
> incorrectly-decrypted EDK, which will lead your disk to look like every sector
> is full of random garbage.  Rather than decrypt the entire disk and run chkdsk
> to see if it looks sane, comparing the hashes of the passphrase is a quick and
> dirty way of testing if the resulting EDK is going to be the correct one.

The PGP email encryption has two known-plaintext bytes for that purpose.
This only honors a bad key 2^16 of the time, but ensures that brute-forcing
must do a more extensive unknown-plaintext attack at that rate for any
potentially-correct key.

This reminds me a little of the suggestions that MACs should be truncated,
although it seems to me that it's better to encrypt a hash of the plaintext.
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list