On Jul 30, 2012, at 10:45 AM, ved...@nym.hush.com wrote: > While playing around with --override-session key , have noticed > that gpg gives many different sets of error messages when trying > out different session keys.
[examples] > Borh examples give error messages identical to the first one, > except that when the first 8 real characters are used, the error > message of 'gpg: [don't know]: invalid packet (ctb=37)' is not > present, > and when the second real 4 characters are used, there is a > 'different' error message of 'gpg: [don't know]: invalid packet > (ctb=32)'. Yes, this is expected behavior. It follows from what I explained earlier in this thread. When you use --override-session-key, you bypass the quick check (after all, you gave the override key - what is there to check?) so you are seeing GnuPG choke on the invalid OpenPGP structures resulting from the garbage decryption. > Anything real about the 'oracle' action in any of this ? It's only an oracle if you return this output to the attacker, or in some other way allow the attacker to see differences (timing, for example) in the responses to what he submits to you. Don't do that ;) David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
