2

In OpenPGP, when encrypting with public key -- is it possible to not include the RSA key id as plaintext in the metadata?

I need to encrypt messages, but I want it to be impossible to identity the receiver. Only the true receiver of the message will know that it is he or she.

I'm doing this with OpenPGP.js.

HelloWorld
  • 303
  • 2
  • 10
  • 2
    Relevant question: https://security.stackexchange.com/questions/25172/how-can-i-encrypt-a-file-using-gpg-without-including-the-recipients-key-id โ€“ jrtapsell May 22 '18 at 23:45

1 Answers1

4

It is possible to hide the key ID by specifying a hidden recipient. This simply zeros out the included ID in the metadata and requires the recipient to exhaustively try all their secret keys before they can tell if it was even encrypted to them. This is part of the standard, specifically RFC 4880 ยง 5.1:

An implementation MAY accept or use a Key ID of zero as a "wild card" or "speculative" Key ID. In this case, the receiving implementation would try all available private keys, checking for a valid decrypted session key. This format helps reduce traffic analysis of messages.

GnuPG, an implementation of the OpenPGP standard, provides an option to do this:

--hidden-recipient name
-R

  Encrypt for user ID name, but hide the key ID of this user's key. This option
  helps to hide the receiver of the message and is a limited countermeasure
  against traffic analysis. If this option or --recipient is not specified,
  GnuPG asks for the user ID unless --default-recipient is given.

I do not know if OpenPGP.js supports this*, but it would be trivial to hack in support for it.

But know that this does not provide cryptographic protection against key discovery! Given enough encrypted ciphertexts, an adversary can discover what public key was used to encrypt it by solving the German tank problem. So hiding the key ID, even if supported by the standard, will not give you key privacy if an adversary has access to multiple ciphertexts and your public key.

RSA messages encrypted with a key using modulus n contain an integer between 0 and n-1 with uniform distribution. If an adversary is able to observe multiple encrypted messages, they will be able to determine a few of the most significant bits of the modulus, allowing them to tell individual encrypted messages apart or even tie them to their public key (after all, the modulus is public).

* According to the source code, a zeroed key ID appears to be supported. It was added in this commit.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257