David Shaw on Tue, 9 Sep 2003 17:31:05 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

On Tue, Sep 09, 2003 at 05:19:13PM -0400, Eugene Smiley wrote:
> David Shaw wrote:
> > In short the attack works like this: Alice sends an encrypted
> > message to Charlie.  Baker intercepts it, but cannot read it.
> > Baker mangles the message in a special way and sends it to Charlie.
> > Charlie decrypts it (thinking it is from Baker) and discovers a
> > whole lot of gibberish.  Charlie replies (quoting the gibberish) to
> > Baker, saying "what is this?".
> >
> > Baker can then use the gibberish to decrypt the original message
> > from Alice to Charlie.
> Does this compromise the users encryption key or just the session key
> for that message?

Session key only.  Compromising the encryption key from the session
would be a known plaintext attack, which as you pointed out, is highly
resisted ;)

Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug