Score:1

Is gpg -c safe if an attacker can see multiple versions of a file?

ch flag

Let's say I have a text file, and I modify it slightly 20 times, and I encrypt each modification using gpg -c (with the same 20 chars secure password). If the attacker has access to the 20 encrypted versions, is the decryption time lower? In this exact scenario, is the encryption breakable?

Score:2
in flag

If the attacker has access to the 20 encrypted versions, is the decryption time lower? In this exact scenario, is the encryption breakable?

No it isn't lower, and no encryption won't be breakable any more than a single ciphertext.

The command gpg -c will use an iterated and salted string-to-key function by default (tested using gpg (GnuPG) 2.2.19).

Following is generated using the pgpdump command line tool after I encrypted a small text file using gpg -c:

Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes)
        New version(4)
        Sym alg - AES with 256-bit key(sym 9)
        Iterated and salted string-to-key(s2k 3):
                Hash alg - SHA1(hash 2)
                Salt - bc da bd be 72 43 43 8a
                Count - 65011712(coded count 255)
New: Symmetrically Encrypted and MDC Packet(tag 18)(90 bytes)
        Ver 1
        Encrypted data [sym alg is specified in sym-key encrypted session key]
                (plain text + MDC SHA1(20 bytes))

A string-to-key function is known as a Password Based Key Derivation Function or PBKDF.

The random 64 bit salt is combined with the password to generate a new secret value, which will be used to perform the encryption. As each key is generated using a different input, and since PBKDF's are not invertible the encryption keys do not provide any attack vector. Information about one key doesn't give any information about the other keys that were generated.

The actual encryption keys may as well have been generated by a secure random number generator - as long as the attacker doesn't find the password. But searching for the password isn't sped up at all compared to a single ciphertext.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.