• Are session keys of encrypted messages a vulnerability?

    From Christoffer Ekberg@21:1/5 to All on Fri Sep 18 16:32:25 2015
    Juergen Nieveler skrev 2015-06-28 17:10:
    Jack Ryan<noreply@remailer.cpunk.us> wrote:

    Actually, I've read that about how a key used in straight symmetric
    encryption will be effectively much stronger than an asymmetric key.

    I'm just wondering if the 256-bit key is not a vulnerability, and
    if it could be improved by making a stronger session key.

    256bit with a decent algorithm is long enough - in fact, there isn't any implementation of AES-512 that I know off.


    First, the security term Vulnerability describes a method by which the
    degree of security provided by the design and the security goals
    established by it.

    In PGP, the session key should in a thought-through design be just as
    secure as the asymmetric key encrypting the session key (crack one,
    crack everything). This means, if the user is able to pick a weaker key,
    either session or asymmetric, without being presented with information
    about the security strength imbalance between the two keys, i'd classify
    it as a Vulnerability.

    It is widely accepted in the field of computer security that a complex
    system without clear usage instructions, that could in practice be used incorrectly and weakening the total strength of the system, is a
    vulnerability as users can be made to think the system is guaranteed to
    have strong security no matter the configuration.

    The way that a short session key is encrypted also plays a role in the
    security strength. Plain non-preprocessed encryption of the session key
    is proved to be halving the strength compared to a preprocessing implementation. A 64-bit session key encrypted without preprocessing the plaintext, can be recovered in the same time a preprocessed 32-bit
    session key is cracked.

    "Why Textbook ElGamal and RSA Encryption are Insecure" http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/bojong00.pdf

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)