4

Say I have a file encrypted with GnuPG, in isolation (i.e., I don’t have the relevant keys). Can one then establish the recipients of the encryption? That is:

  • Name/E-Mail/Comment
  • Key ID

Or is this information only discernible if you have the appropriate keys?

Likewise, same question for a GnuPG signed file? (i.e., Can you at least establish the signer, without authenticating their signature, without having the key in your keyring?)

Xophmeister
  • 143
  • 4
  • Dupe https://security.stackexchange.com/questions/25170/what-information-is-leaked-from-an-openpgp-encrypted-file https://security.stackexchange.com/questions/22704/can-all-the-other-recepients-of-a-pgp-encrypted-message-be-identified https://security.stackexchange.com/questions/85157/can-i-check-who-can-decrypt-my-gpg-message-after-i-encrypt-it and related https://security.stackexchange.com/questions/199427/with-gpg-can-3rd-party-verify-that-message-has-been-encrypted-by-specific-publi – dave_thompson_085 May 16 '21 at 07:15
  • 3
    Does this answer your question? [What information is leaked from an OpenPGP encrypted file?](https://security.stackexchange.com/questions/25170/what-information-is-leaked-from-an-openpgp-encrypted-file) – forest May 16 '21 at 08:08

1 Answers1

3

Can one then establish the recipients of the encryption?

Ordinarily, yes. The recipient's Key ID is included in the metadata.

This can be disabled if you use --throw-keyids option.

Likewise, same question for a GnuPG signed file? (i.e., Can you at least establish the signer, without authenticating their signature, without having the key in your keyring?)

Yes, and as far as I know there is no way to disable the inclusion of the signer's key ID in the signature data (it wouldn't make much sense to do so). If this information needs to be hidden, you should sign, then encrypt the signed file with the throw-keyids option.

fuzzydrawrings
  • 471
  • 2
  • 9
  • 1
    Maybe it's worth noting that `--throw-keyids` has a slight inconvenience on the client side: all keys must be tried until the correct one if found. That may entail typing a passphrase multiple times. The [pgpdump](https://www.mew.org/~kazu/proj/pgpdump/en/) tool can be used for analyzing GPG packets. – Kate May 15 '21 at 21:58
  • Thanks :) So if I want to guarantee anonymity in, say, a Git repo of encrypted files, I need to be *very* careful? (Along with, tangentially, making sure the commit history also doesn’t leak information.) Possibly so careful that it’s not worth the effort! – Xophmeister May 15 '21 at 22:08
  • 1
    @Xophmeister You could always create a new signing key just for the git repo. And anyway knowing the key ID doesn't break anonymity unless the public key is both available to adversaries and they also know your identity is connected to that key. – fuzzydrawrings May 16 '21 at 01:07
  • @fuzzydrawings It's very important to realize that disabling the key ID only provides **casual anonymity** at best. Due to the [German tank problem](https://crypto.stackexchange.com/a/51561/54184), it's often possible to discover what the actual key ID is. See also [In OpenPGP, when encrypting with public key — is it possible to not include the RSA key id?](https://security.stackexchange.com/q/186306/106285) – forest May 16 '21 at 02:18
  • @forest I can't find information on how the German Tank Problem applies to identifying hidden recipient key IDs for Public-Key Encrypted Session Key packets under the OpenPGP protocol. But certainly when the same session key is encrypted to multiple hidden recipients, one of whom is an adversary, the adversary then knows the session key (because he can decrypt it) and from that it is trivial to show any other PKESK packet for this same session key was encrypted with a given public key. – fuzzydrawrings May 16 '21 at 05:09
  • @fuzzydrawings That's explained in the Crypto.SE link I provided. The fact is, zeroing the key ID in the metadata does not provide true key privacy: _it is feasible for an adversary to distinguish a collection of RSAES-PKCS1-v1_5 ciphertexts (or RSAES-OAEP, but OpenPGP uses PKCS#1 v1.5) under a target public key from a collection of ciphertexts under any other public key, by solving the German tank problem._ – forest May 16 '21 at 05:52
  • @forest Interesting. I'm reading the paper https://eprint.iacr.org/2014/728.pdf now. It seems the caveat applies only to RSA keys. The authors say it is feasible to distinguish which key encrypted a given ciphertext but the absence of a demonstration makes me wonder if it is truly practical. However I'm only just now reading about it so I'm still pretty ignorant on the details. – fuzzydrawrings May 16 '21 at 07:40
  • @fuzzydrawings It is practical. It is a generic attack, not one which requires any kind of advanced cryptanalysis. [crypto.se] might be a good resource to understand it. Or see https://security.stackexchange.com/a/22705/106285: _For instance, with RSA keys, the packet still contains an integer between 0 and n-1, with n being the RSA modulus, with a fairly uniform distribution. Thus, observing many messages can yield, statistically, the first (most significant) few bytes of that modulus, which can be used to discriminate recipients from each other._ – forest May 16 '21 at 08:04
  • @fuzzydrawings You do need multiple messages in order to do this (a public key used only once for encryption with a hidden recipient will not allow someone to recover the public key ID), but it is a fairly trivial attack. – forest May 16 '21 at 08:09
  • Guaranteeing Anonymity is always hard, and we don’t know what it is worth to you (most open source contributors think recognition is more valuable) – eckes May 16 '21 at 14:15
  • @forest I think I might understand now: since the RSA encrypted session key is modulo n, the encrypted value will always be less than n. If the encrypted value is greater than n for a given key, we know that key was not the one used to encrypt. As for revealing the first few bytes of the modulus, it seems that would require many, many repeated encryptions only to the same hidden recipient before that could be revealed. Or am I missing something else? – fuzzydrawrings May 16 '21 at 20:10
  • @fuzzydrawings You're correct. You do need multiple encryptions, but not an overwhelming amount. – forest May 16 '21 at 20:17
  • This conversation is a bit beyond me -- so forgive any naiveté! -- but if the problem you're discussing affects RSA encryption, would ECC resolve this? – Xophmeister May 17 '21 at 10:42
  • @Xophmeister Yes, ECC would resolve this, to the best of my knowledge. – forest May 25 '21 at 00:05