5

Let's say you want to send the same GPG/OpenPGP encrypted message to 50+ recipients. Assuming everyone you send to is trusted, and there is no risk of any recipient leaking their secret key, is sending a single message to multiple recipients less secure from an "ability to break" perspective?

Since GPG uses hybrid encryption, the message gets encrypted symmetrically with a key (the session key) that is encrypted asymmetrically.

Is the session key easier to figure out if you have 50+ asymmetrically encrypted strings that you know will all result in the exact same string when decrypted? (Though I realize that solving that session key would only compromise that specific message, and not any past or future messages from the sender or to any of the recipients.)

Would it then be more secure sending that specific message in batches of 5 or 10 recipients at a time? (or if you are paranoid, one recipient at a time) Even if the messages are identical, I would assume the session key is also generated with a timestamp or at least some form of non-deterministic factor in addition to the message hash. As a result each individual "5 recipient" message would end up with a different session key, and you would only have 5 encrypted versions of that key available.

IQAndreas
  • 6,667
  • 9
  • 33
  • 52
  • I hate using the word _"crack"_. Is there a more official term for decrypting data without having the encryption key? – IQAndreas Sep 23 '14 at 13:28
  • 1
    GPG has to encrypt the session key separately for each recipient using their public key. As long as the software performing GPG isn't using the same session key across all emails, you should be fine. I would substitute "break" for "crack" – RoraΖ Sep 23 '14 at 13:28
  • 1
    @raz Is "session key" the name for the key used for the symmetric encryption? If so, GPG would _have to_ use the same session key for all recipients if you want a single email or file to be decryptable by all recipients. – IQAndreas Sep 23 '14 at 13:31
  • Yeah, I'm using "session key" as the symmetric encryption key term. If GPG *has* to encrypt a session key separately for each recipient, I see no reason why it wouldn't just generate separate session keys at the same time. Encrypt the email separately for each recipient in this case. Might do a little research on that myself. – RoraΖ Sep 23 '14 at 13:39
  • 1
    This answers the question of different symmetric key: http://security.stackexchange.com/questions/8245/gpg-file-size-with-multiple-recipients – RoraΖ Sep 23 '14 at 13:47
  • @raz That's exactly what I meant by the second paragraph of my question. What I'm asking is, it is easier to figure out what the session key if I have 50+ of those 271 byte packets that I know will all decode to the same value? – IQAndreas Sep 23 '14 at 13:54
  • @IQAndreas "Crack" is a technical term, at least [according to the _New Hacker's Dictionary_](https://www.gutenberg.org/files/3008/3008-h/3008-h.htm#crack). At least he didn't incorrectly use "[hack](https://www.gutenberg.org/files/3008/3008-h/3008-h.htm#hack)." "[Break](https://www.gutenberg.org/files/3008/3008-h/3008-h.htm#break)" has a different sense. – Geremia Jan 06 '16 at 00:54

2 Answers2

3

Cryptographically, the scheme you describe is not increasing your risk. From an overall security standpoint, adding the additional recipients creates more points where things can go wrong.

  1. Each of the recipients represents an additional endpoint where the message must be secured. You may trust each of the people, but can you equally trust all of their computers to be secure? Having fifty recipients means there are at least 51 attack surfaces involved.
  2. Adding multiple encrypted session keys provides a hiding ground for a rogue encrypted session key. A human may notice if one key was suddenly replaced with two keys, but might not notice if a fifty-first key was added to a list of fifty keys.
John Deters
  • 33,897
  • 3
  • 58
  • 112
1

This in general depends on the exact way the assymetric encryption is peformed (i.e. a completely naive implementation of RSA could be a problem, See Halstads attack), for GPG/OpenPGP there should be negligible extra security risk when encrypting the same string using multiple different public keys.

Modern cryptographic protocols and algorithms are usually designed with extremely strong oponents in mind. Usually assumptions include that oponents can do things such as choose plain texts to be encrypted or require decryption of specified plain texts.

For RSA appropriate schemes have even been proven secure in the setting you mention (multiple recipients) assuming they are secure in the single user setting (one recipient) in a strong enough way see: http://www.iacr.org/archive/eurocrypt2000/1807/18070262-new.pdf .

IMO there should be no reason to worry about encrypting the same message to multiple recipients from an encryption security point of view.

It is ofcourse essential to always worry about it from the, "50 people now have this message and any one of them can reply without encrypting or forward the message onwards", point of view.

DRF
  • 384
  • 3
  • 7