44

If I encrypt the same file twice with GnuPG, using the same key, will I get the same result? or is it using some random/psudeo-random segment to improve security like rsynccrypto?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Didi Kohen
  • 688
  • 1
  • 5
  • 9
  • I didn't mention it before, but I guessed it would have a random component, now I need to save the md5sum of the encrypted version. – Didi Kohen Apr 04 '13 at 19:23
  • 8
    No disrespect meant, but it somewhat boggles my mind that you would post a question for something that you could easily answer yourself in 30 seconds by running the same command twice. – rsaw Apr 05 '13 at 06:06
  • 10
    Knowing if it's consistent across multiple tries is half the question, I did not know if there's some command line option to set the random component to a fixed preset one. Running the same command twice will tel me how it is in my version, I didn't know in advance if there are different behaviours for different versions. – Didi Kohen Apr 05 '13 at 16:49

2 Answers2

55

Generally speaking, no, encrypting the same file with the same key will not produce the same file, for three reasons:

  • The OpenPGP format (which GnuPG implements) uses hybrid encryption: a random, symmetric key is encrypted with the recipient's public key (of type RSA or ElGamal), and that symmetric key is itself used to encrypt the message body with a symmetric encryption algorithm. Hybrid encryption is used because asymmetric encryption are very limited in their range (e.g. a 2048-bit RSA key cannot encrypt more than 245 bytes in one go) and have high overhead (both in CPU and resulting message size). Since the symmetric key is not saved anywhere on the sender's side, a new random key will be created each time, and will be different with overwhelming probability.

  • Asymmetric encryption itself is randomized. E.g., with RSA, the padding includes random bytes. This is needed "in general", because the public key is public, so everybody knows it; if encryption was deterministic, attackers could run an exhaustive search on the message. This would not be an issue in the specific case of OpenPGP (the message is a random key, large enough to defeat exhaustive search on its own), but standards for RSA or ElGamal have a larger scope and include random padding.

  • When doing the symmetric encryption itself, a random IV is used, and will be different (with overwhelming probability) for each invocation. See section 5.7 for details.

The third point also applies when doing password-based encryption (encryption is done with a password, not with a recipient's public key). Password-based encryption also adds a fourth randomization, which is the salt in the password-to-key transform.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 2
    Why does RSA use randomized padding rather than something akin to an IV? – Stephen Touset Apr 04 '13 at 20:08
  • 1
    @Stephen: Symmetric ciphers can get away with using a [block-mode](http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation), because they typically have the luxury of being able to use a different key for every communication-session. In public-key crypto, where the key might need to be signed by a certificate authority, you don't. Note that since PGP uses a hybrid encryption *(meaning the actual message is encrypted with a symmetric-algorithm, with a different key for every file/file-group)*, the message *will* be encrypted using a block-mode. – BlueRaja - Danny Pflughoeft Apr 04 '13 at 22:48
  • I'm not sure that answers my question. Using a random IV is completely orthogonal to having unique session keys or having certificates signed by public authorities. Why *pad* with a random value rather than – Stephen Touset Apr 05 '13 at 00:32
  • 1
    An IV is a starting point for an iterative process; e.g. with a block cipher in CBC mode, blocks are processed one after the other. RSA is not iterative; it processes _one_ value in one go. – Thomas Pornin Apr 05 '13 at 01:07
  • 2
    @StephenTouset you have asked an excellent question. I think it'll be better to post it as a question so people can find it. (you are welcome to comment with a link) – Didi Kohen Apr 05 '13 at 16:55
  • What about the `--symmetric` encryption provided by command `gpg2`? – Siyuan Ren Oct 17 '14 at 05:39
21

GnuPG encryption is not deterministic and thus will return different output for each run. Encrypting, then decrypting is deterministic of course and will always return the same contents.

Explanation:

GnuPG uses asymmetric encryption, which is slow when encrypting huge amounts of data. For this reason, it uses your private key to encrypt a random block cipher which is again used to encrypt your data.

Each time you're encrypting data, a new random block cipher will be generated, so the encrypted data will look different.

I encrypted the same document twice and calculated the MD5 checksums after each encryption:

$ gpg --encrypt test.txt
$ md5 test.txt.gpg
MD5 (test.txt.gpg) = f2f6a07e0d7ae9899315d0471c2596bc
$ gpg --encrypt test.txt
$ md5 test.txt.gpg
MD5 (test.txt.gpg) = b57d4c360b1c3c6b2202ce6c3d32cdd8
Jens Erat
  • 23,446
  • 12
  • 72
  • 96