Discussion:
Are session keys of encrypted messages a vulnerability?
(too old to reply)
Anonymous
2015-05-22 03:42:35 UTC
Permalink
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.

My understanding is that if I use my gpg public key encryption to
encrypt a message the actual message is encrypted with symmetric
encryption, most usually AES256 these days, and that symmetrically
encrypted message is encrypted using a session key that is
generated by gpg on the fly.

That session key is a 64 character hex number, so a 256-bit key.
And that session key is the only thing that my big, tough pass
phrase is being used by RSA to encrypt.

My pass phrase is a LOT stronger than 256-bits.

How vulnerable is that 256-bit session key?

My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."

But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.

I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
encrypted message, whether public key or symmetric, if they really
put their resources against it?

I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file. Is
there really any sense in using a seriously strong pass phrase,
even with symmetric encryption?

Signed - Stoopid_newbie
Arthur T.
2015-05-22 04:24:38 UTC
Permalink
In
Post by Anonymous
How vulnerable is that 256-bit session key?
If you can try one trillion keys per second, it would take, on
average, almost 2 times 10 to the 57th years to crack. If you can
try a trillion trillion keys per second (i.e. 10^24 keys per second),
it would only take about 2*10^24 years to crack. The universe is
currently about 1.3*10^10 years old.

If I made mistakes in these calculations, I'm sure someone will
notice and correct me. After all, this is Usenet.
--
Arthur T. - ar23hur "at" pobox "dot" com
Anonymous Remailer (austria)
2015-06-22 08:38:59 UTC
Permalink
Post by Arthur T.
In
Post by Anonymous
How vulnerable is that 256-bit session key?
If you can try one trillion keys per second, it would take, on
average, almost 2 times 10 to the 57th years to crack. If you can
try a trillion trillion keys per second (i.e. 10^24 keys per second),
it would only take about 2*10^24 years to crack. The universe is
currently about 1.3*10^10 years old.
If I made mistakes in these calculations, I'm sure someone will
notice and correct me. After all, this is Usenet.
Your math is correct, but not quite satisfying. Yeah, maybe I'm
completely paranoid. Thing is, I think that some base 95 key that's
more than 64 characters long is going to be much more difficult to
crack than the hexadecimal key that's 64 characters long.

Seriously, I have to wonder if certain parties (maybe not just
major governmental players) have a better approach to breaking a
256-bit session key than brute force. And if I want to have a base
95 key that's 64 characters long I would like it if I could make
that the only key involved, or make that the session key, to put it
another way.

A 64 character base 64 key has 3.94 * 10^115 possibilities.

A 64 character base 95 key has 3.75 * 10^126 possibilities.

Or, if things are really limited to some hashing which will only
produce hexadecimal numbers, I would feel better with a 128
character session key, which has 1.34 * 10^154 possible values.

All of these are going to be less likely to be found out than the
1.16 * 10^77 possibilities of a current 256-bit session key.

All right, tell me I'm just too unrealistically paranoid, or that
none of the above key sizes are practical in any software.


Signed - Stoopid_newbie
William Unruh
2015-06-22 12:58:09 UTC
Permalink
Post by Anonymous Remailer (austria)
Post by Arthur T.
In
Post by Anonymous
How vulnerable is that 256-bit session key?
If you can try one trillion keys per second, it would take, on
average, almost 2 times 10 to the 57th years to crack. If you can
try a trillion trillion keys per second (i.e. 10^24 keys per second),
it would only take about 2*10^24 years to crack. The universe is
currently about 1.3*10^10 years old.
If I made mistakes in these calculations, I'm sure someone will
notice and correct me. After all, this is Usenet.
Your math is correct, but not quite satisfying. Yeah, maybe I'm
completely paranoid. Thing is, I think that some base 95 key that's
more than 64 characters long is going to be much more difficult to
crack than the hexadecimal key that's 64 characters long.
Seriously, I have to wonder if certain parties (maybe not just
major governmental players) have a better approach to breaking a
256-bit session key than brute force. And if I want to have a base
95 key that's 64 characters long I would like it if I could make
that the only key involved, or make that the session key, to put it
another way.
Wonder on. Maybe they can read your brainwaves or the waves from your
computer at a distance so they can read the message directly from your
mind. Why not? You seem willing to give them arbitrary powers,
unconstrained by physics.
Post by Anonymous Remailer (austria)
A 64 character base 64 key has 3.94 * 10^115 possibilities.
A 64 character base 95 key has 3.75 * 10^126 possibilities.
Or, if things are really limited to some hashing which will only
produce hexadecimal numbers, I would feel better with a 128
character session key, which has 1.34 * 10^154 possible values.
Why not use a key a google in length. You should be even more protected!
Post by Anonymous Remailer (austria)
All of these are going to be less likely to be found out than the
1.16 * 10^77 possibilities of a current 256-bit session key.
All right, tell me I'm just too unrealistically paranoid, or that
none of the above key sizes are practical in any software.
Signed - Stoopid_newbie
Anonymous
2015-06-27 02:25:02 UTC
Permalink
Post by William Unruh
Post by Anonymous Remailer (austria)
Post by Arthur T.
In
Post by Anonymous
How vulnerable is that 256-bit session key?
If you can try one trillion keys per second, it would take, on
average, almost 2 times 10 to the 57th years to crack. If you can
try a trillion trillion keys per second (i.e. 10^24 keys per second),
it would only take about 2*10^24 years to crack. The universe is
currently about 1.3*10^10 years old.
If I made mistakes in these calculations, I'm sure someone will
notice and correct me. After all, this is Usenet.
Your math is correct, but not quite satisfying. Yeah, maybe I'm
completely paranoid. Thing is, I think that some base 95 key that's
more than 64 characters long is going to be much more difficult to
crack than the hexadecimal key that's 64 characters long.
Seriously, I have to wonder if certain parties (maybe not just
major governmental players) have a better approach to breaking a
256-bit session key than brute force. And if I want to have a base
95 key that's 64 characters long I would like it if I could make
that the only key involved, or make that the session key, to put it
another way.
Wonder on. Maybe they can read your brainwaves or the waves from your
computer at a distance so they can read the message directly from your
mind. Why not? You seem willing to give them arbitrary powers,
unconstrained by physics.
Looks like you're into being dismissive, and heaping in a bit of
abuse for the fun of it.

There's an article around now about the possibility that typed in
plaintext might be readable by seeing the pattern of heat that a
computer gives off. I do not think it far fetched to wonder about a
256-bit session key not being perfectly safe for the foreseeable
future.
Post by William Unruh
Post by Anonymous Remailer (austria)
A 64 character base 64 key has 3.94 * 10^115 possibilities.
A 64 character base 95 key has 3.75 * 10^126 possibilities.
Or, if things are really limited to some hashing which will only
produce hexadecimal numbers, I would feel better with a 128
character session key, which has 1.34 * 10^154 possible values.
Why not use a key a google in length. You should be even more protected!
We don't have the technology to make that practical yet.

I do wonder how difficult it would be to make gpg use a 512-bit
session key. It's probably inevitable that this will be needed in
the future. I am not a programmer, but I am wondering if gpg uses
SHA-256 to generate the session key now. Would it be that big a
problem to make it use SHA-512 to make the session key? Would such
a gpg version have backward compatibility problems?

Anyone have any information on the above? I know I could look at
the source code, but not being a programmer I don't think I could
answer the questions I have just by looking at it.

Does anyone here know if this topic of the vulnerability of the
session keys is something that the people who actually work on gpg
are looking at?

Thanks for any help, derision not necessary.


Signed - Stoopid_newbie
William Unruh
2015-05-22 06:03:59 UTC
Permalink
Post by Anonymous
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
My understanding is that if I use my gpg public key encryption to
encrypt a message the actual message is encrypted with symmetric
encryption, most usually AES256 these days, and that symmetrically
Yes.
Post by Anonymous
encrypted message is encrypted using a session key that is
generated by gpg on the fly.
That session key is a 64 character hex number, so a 256-bit key.
And that session key is the only thing that my big, tough pass
phrase is being used by RSA to encrypt.
No. Your pass phrase is used to protect your private key on your own
machine. RSA does not take a key. It generates two primes once, and uses
those to generate your public and private keys.
Post by Anonymous
My pass phrase is a LOT stronger than 256-bits.
Don't bet on that.
Post by Anonymous
How vulnerable is that 256-bit session key?
2^256
Post by Anonymous
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
You are getting silly. A 256 bit truely random key is so difficult to
decrypt that is not what you should be worrying about. Far more likely
is rubber hose crypto, or them cracking your machine and watching you
type in your pass phrase.
Post by Anonymous
But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.
I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
Think about it. Then answer your own question. How many 256 keys are
there. How many atoms are there in the universe? compare.
Post by Anonymous
encrypted message, whether public key or symmetric, if they really
put their resources against it?
I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file. Is
there really any sense in using a seriously strong pass phrase,
even with symmetric encryption?
They are used for different purposes. The session key encrypts the file.
The public/private key encrypts the session key. Your passphrase ecrypts
the private key file on your computer.
Post by Anonymous
Signed - Stoopid_newbie
Anonymous Remailer (austria)
2015-06-22 08:46:17 UTC
Permalink
Post by William Unruh
....
Post by Anonymous
My pass phrase is a LOT stronger than 256-bits.
Don't bet on that.
Why wouldn't it be? What if my pass phrase is a 512-bit hexadecimal
number? Surely that's going to be stronger than a 256-bit one?
Post by William Unruh
....
Post by Anonymous
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
You are getting silly. A 256 bit truely random key is so difficult to
decrypt that is not what you should be worrying about. Far more likely
is rubber hose crypto, or them cracking your machine and watching you
type in your pass phrase.
Well, I'm not sure that I'm being silly here. I'm even seeing
something about patterns showing up in the products of the huge
primes used to make RSA keys. If there's some algorithm that will
factor that product certain agencies may already be looking at
whatever they please.
Post by William Unruh
Post by Anonymous
But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.
I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
Think about it. Then answer your own question. How many 256 keys are
there. How many atoms are there in the universe? compare.
Yeah about 10^80 atoms in the universe vs. 1.16 * 10^77 256-bit
keys. But a 512-bit key would have 1.34 * 10^154 possible keys. Why
not let that be the default?
Post by William Unruh
Post by Anonymous
encrypted message, whether public key or symmetric, if they really
put their resources against it?
I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file. Is
there really any sense in using a seriously strong pass phrase,
even with symmetric encryption?
They are used for different purposes. The session key encrypts the file.
The public/private key encrypts the session key. Your passphrase ecrypts
the private key file on your computer.
But my point is that I can make a key, or a session key for a
symmetrically encrypted file, that is stronger than 256-bits.

Part of the problem I'm having is that I'm surprised about the
session key size used in the symmetrically encrypted way of doing
things.


Signed - Stoopid_newbie
Joe User
2015-05-22 11:13:33 UTC
Permalink
Post by Anonymous
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
That may not matter because depending on the password hash it is possibly
shorter than your actual passphrase. Have a good look at gpg.conf and
understand all the options or ask on the gpg lists or here.
Post by Anonymous
My understanding is that if I use my gpg public key encryption to
encrypt a message the actual message is encrypted with symmetric
encryption, most usually AES256 these days, and that symmetrically
encrypted message is encrypted using a session key that is
generated by gpg on the fly.
Yes it is a pseudo random number and depends on the quality of the rng in
gpg and/or your OS and hardware.
Post by Anonymous
That session key is a 64 character hex number, so a 256-bit key.
And that session key is the only thing that my big, tough pass
phrase is being used by RSA to encrypt.
My pass phrase is a LOT stronger than 256-bits.
As was stated not necessarily.
Post by Anonymous
How vulnerable is that 256-bit session key?
Practically it is not. I would be a lot more concerned with cipher choice or
RSA keylengths. The session key is generated uniquely for each message.
Compromising a session key gets the attacker access to exactly 1 message.
Compromising the cipher gets all messages and so does cracking your RSA
key. AES is a little suspicious but there aren't many good choices. Serpent
or Blowfish might be better choices. Camellia is another variant of AES and
has the same issues.

How big are you RSA keys? Anything less than 4k is probably within shooting
range of the big guns. Anything more is probably not for the next 5 to 10
years. It all depends on how bad they want it. Criminals are probably low
hanging fruit. They're stupid and in a hurry and because they are evil they
will probably eventually get caught. Privacy advocates like us who just want
the wrong people minding their own business are hopefully not on anybody's
list and will remain that way.
Post by Anonymous
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
No, the ciphers all have key limits and so far none of them use more than
256 bits of key material.
Post by Anonymous
But I did a gpg2 --show-session-key [symmetrically encrypted file
name] and gpg2 showed me a session key! It was another 256-bit key.
What did you expect? See above. And see the manpage for gpg/gpg2.
Post by Anonymous
I am now wondering if there is anything that's secure. Would a
nation-state adversary be able to generate a rainbow table of those
256-bit keys? Would they be likely to crack the session key of an
encrypted message, whether public key or symmetric, if they really
put their resources against it?
It's far easier to kill people or do other bad stuff than wasting a few
campuses worth of hard drives and electricity doing that. One good thing
about all the spying is it usually takes the heat off normal people since
most normal people aren't communicating with suspected terrorists. However
there is no reason to believe the descent into serfdom won't continue and
crypto will be illegal or "probable cause" and I think it is in some
countries already and in that case you're already interesting if nothing
else that they will piss on you for the sake of pissing on you.
Post by Anonymous
I am assuming that once they've gotten the session key
knowledgeable people could just decrypt the message or file.
Yes, that one message.
Post by Anonymous
Is there really any sense in using a seriously strong pass phrase, even
with symmetric encryption?
gpg will hash your passphrase and pad it to be suitably long for the cipher
in question. The more randomness in your passphrase the better that works in
theory anyay.

You must use a suitably difficult and long passphrase or a brute force
attack becomes very doable.
Anonymous Remailer (austria)
2015-06-22 09:01:59 UTC
Permalink
Post by Joe User
Post by Anonymous
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
That may not matter because depending on the password hash it is possibly
shorter than your actual passphrase.
That's exactly what I was surprised at discovering, and concerned
about.
Post by Joe User
Have a good look at gpg.conf and understand all the options or ask
on the gpg lists or here.
Well, I've looked, but I'm still thinking that the 256-bit session
key is unnecessarily vulnerable.
Post by Joe User
....
Post by Anonymous
How vulnerable is that 256-bit session key?
Practically it is not. I would be a lot more concerned with cipher choice or
RSA keylengths. The session key is generated uniquely for each message.
Compromising a session key gets the attacker access to exactly 1 message.
Compromising the cipher gets all messages and so does cracking your RSA
key. AES is a little suspicious but there aren't many good choices. Serpent
or Blowfish might be better choices. Camellia is another variant of AES and
has the same issues.
How big are you RSA keys? Anything less than 4k is probably within shooting
range of the big guns.
Those are all 4096-bit keys.
Post by Joe User
Anything more is probably not for the next 5 to 10 years.
I would like a farther horizon.
Post by Joe User
It all depends on how bad they want it. Criminals are probably low
hanging fruit. They're stupid and in a hurry and because they are
evil they will probably eventually get caught. Privacy advocates
like us who just want the wrong people minding their own business
are hopefully not on anybody's list and will remain that way.
Some of the criminals are getting pretty sophisticated. And the big
players may want to sweep the field of "privacy advocates like us"
for some reason.

And I really just want to feel that I am taking good precautions to
guard my privacy from both criminals and the big players.
Post by Joe User
Post by Anonymous
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
No, the ciphers all have key limits and so far none of them use more than
256 bits of key material.
Which is what I'm surprised and concerned about.
Post by Joe User
....
Post by Anonymous
Is there really any sense in using a seriously strong pass phrase, even
with symmetric encryption?
gpg will hash your passphrase and pad it to be suitably long for the cipher
in question. The more randomness in your passphrase the better that works in
theory anyay.
You must use a suitably difficult and long passphrase or a brute force
attack becomes very doable.
But the attacker would be making better use of their resources by
attacking the session key instead of trying to get around my more
powerful key that I'm using for the symmetric encryption. I was
surprised to find that my very strong keys were getting reduced to
256-bits.

I think I'm just feeling doomed here.
Anonymous
2015-07-11 03:46:44 UTC
Permalink
Post by Anonymous Remailer (austria)
Post by Joe User
Post by Anonymous
I have a really good pass phrase, one that is probably not
vulnerable to dictionary attacks, and long enough that a brute
force attack would take longer than anyone will ever live.
That may not matter because depending on the password hash it is possibly
shorter than your actual passphrase.
That's exactly what I was surprised at discovering, and concerned
about.
Post by Joe User
Have a good look at gpg.conf and understand all the options or ask
on the gpg lists or here.
Well, I've looked, but I'm still thinking that the 256-bit session
key is unnecessarily vulnerable.
Post by Joe User
....
Post by Anonymous
How vulnerable is that 256-bit session key?
Practically it is not. I would be a lot more concerned with cipher choice or
RSA keylengths. The session key is generated uniquely for each message.
Compromising a session key gets the attacker access to exactly 1 message.
Compromising the cipher gets all messages and so does cracking your RSA
key. AES is a little suspicious but there aren't many good choices. Serpent
or Blowfish might be better choices. Camellia is another variant of AES and
has the same issues.
How big are you RSA keys? Anything less than 4k is probably within shooting
range of the big guns.
Those are all 4096-bit keys.
Post by Joe User
Anything more is probably not for the next 5 to 10 years.
I would like a farther horizon.
Post by Joe User
It all depends on how bad they want it. Criminals are probably low
hanging fruit. They're stupid and in a hurry and because they are
evil they will probably eventually get caught. Privacy advocates
like us who just want the wrong people minding their own business
are hopefully not on anybody's list and will remain that way.
Some of the criminals are getting pretty sophisticated. And the big
players may want to sweep the field of "privacy advocates like us"
for some reason.
And I really just want to feel that I am taking good precautions to
guard my privacy from both criminals and the big players.
Post by Joe User
Post by Anonymous
My original question here was, "Should I just use symmetric
encryption where I can? That will use whatever seriously large key
I can come up with, which is going to be more difficult to crack
than a 256-bit key."
No, the ciphers all have key limits and so far none of them use more than
256 bits of key material.
Which is what I'm surprised and concerned about.
Post by Joe User
....
Post by Anonymous
Is there really any sense in using a seriously strong pass phrase, even
with symmetric encryption?
gpg will hash your passphrase and pad it to be suitably long for the cipher
in question. The more randomness in your passphrase the better that works in
theory anyay.
You must use a suitably difficult and long passphrase or a brute force
attack becomes very doable.
But the attacker would be making better use of their resources by
attacking the session key instead of trying to get around my more
powerful key that I'm using for the symmetric encryption. I was
surprised to find that my very strong keys were getting reduced to
256-bits.
I think I'm just feeling doomed here.
You're probably not doomed.

I may have an acceptable solution to the problem you present:
encrypt it twice.

I'm not what I think of as a newbie at this, but I am only one step
above that, call me a novice. So maybe I have made some assumptions
here that are wrong, but if I have I'm sure I'll get corrected.

If you're using symmetric encryption then encrypt the plaintext as
usual. Take the ciphertext from that operation and then encrypt it
with another symmetric encryption cipher. GPG has several symmetric
ciphers available.

I've just tried this, encrypting plaintext and then the resulting
ciphertext, and then I looked at the session keys for both
operations. The session keys are different. I used the same
passphrase for both operations.

If your passphrase is as good as you say it is then it's not a
vulnerability, and I think you are not a lot more vulnerable by
using it twice. You can always use two different really strong
passphrases for the two different cipher operations if you feel the
need.

Anyway, an attacker will have to defeat two different 256-bit
session keys in order to get your plaintext. I'm not sure if that's
equivalent to being able to use a 512-bit session key, but it has
to be a lot stronger than having only one 256-bit session key.

You could also symmetrically encrypt the plaintext and then use
public key encryption to encrypt that ciphertext. You'll get two
different 256-bit session keys then too.

All of this is not as convenient as encrypting once with a session
key that's as stong as you'd like it to be, but if you are worried
about session key vulnerability then maybe more is/are better.

HTH.

A. Novice

Loading...