On 03/18/2014 09:00 AM, Alfredo Pironti wrote:
I have done some preliminary work on password managers that rely on
OpenPGP (gpg, in fact) to encrypt the passwords. Unsurprisingly, it
turns out that compressing the password before encrypting it leaks much
of the password entropy, making dictionary attacks significantly easier
to mount. (In my preliminary experiments I used a password dictionary
containing about 4 million passwords. If the attacker knows the original
password length and its compressed length, then for some combinations of
the two the candidate dictionary entries can reduce to as few as some
hundreds.)
I wonder why the additional piece of information is available, which is
that both the length of the original password and the length of the
compressed one is available from a ciphertext that is an encrypted password.
Wouldn't only one of these sizes be provided through the size of the
ciphertext?
When you build a dictionary with 4 million passwords, you can index it
by the password length or by password's compressed length. It's true
that OpenPGP CFB format will leak the size either of the plaintext or of
the compressed plaintext (so perhaps higher-level padding is the right
thing to do in cases like these). Narrowing down the choices by the size
of the password v.s. the size of the compressed password seems
equivalent regarding the password recovery attack.
I do see that if we can narrow down the choices by two sizes
simultaneously, this will indeed narrow down the possibilities further.
However, it's unclear how both sizes are obtained from a single ciphertext.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp