Does an encrypted message contain any information about whom it is encrypted to, or at least to how many recipients? And if so, is it at least only obtainable for other recipients or for just anybody?
Asked
Active
Viewed 2,141 times
12
-
3See also: http://security.stackexchange.com/q/25170/15712 – Flimm Dec 08 '12 at 20:12
1 Answers
18
To a large extent, yes. See RFC 4880, section 5.1: for each recipient, there is a "Public-Key Encrypted Session Key Packet" which contains the recipient key ID. This key ID is a 32-bit value which is used as index in key servers; there are key ID collisions, so this is not an absolute, totally accurate indication of the recipient, but it still gives a lot of information.
Theoretically, an all-zero key ID can be used as a way to discourage traffic analysis, but this is not a complete solution. For instance, with RSA keys, the packet still contains an integer between 0 and n-1, with n being the RSA modulus, with a fairly uniform distribution. Thus, observing many messages can yield, statistically, the first (most significant) few bytes of that modulus, which can be used to discriminate recipients from each other.
Thomas Pornin
- 320,799
- 57
- 780
- 949
-
1
-
1@JSmyth It seems like El Gamal provides key privacy, however there are so few people who use EGL for encryption anyway that you'd very likely be unique. – forest May 08 '18 at 23:30
-
The keyid in packet 1 for hybrid-encryption, and also packets 2 and 4 and subpacket 16 for signatures, and actually used on keyservers, has always been the **64-bit 'long' form**. Back in 2012 most programs used the 32-bit 'short' form (the low half of the long form, which itself is the low octets of the fingerprint) on user interfaces, but in the years since, especially after https://evil32.com, many now use long form or even the fingerprint. – dave_thompson_085 Jul 15 '20 at 03:24