Page MenuHome GnuPG
Create Task
Maniphest T1998

Can't use extended characters in passphrase
Closed, InvalidPublic
Actions

Description

Pedro Coehlo wrote to gnupg-devel on April 30th. I'm posting it here
so that it does not get lost:

I have an issue that I've detected today and searched the entire
mailing list and did not find an answer. I hope I'm not wasting
anyone's time. I use OpenSuSE 13.1 64bits as my main distribution on
Linux. I encrypt on that same computer some files and my passphrase
always used both composed characters as well as altgr symbols.
Meaning utf-8 characters.

In this particular case I used symmetric encryption on a file, like
this:

gpg -c --s2k-mode 3 --s2k-count 65011712 --s2k-cipher-algo AES256 -
-cert-digest-algo SHA512 file.txt

All is ok to decrypt the file when I use OpenSuSE KDE desktop even on
other computers I have. What I have noticed tho is a strange behavior
that should be of some concern. When trying to decrypt the exact same
file on Other distros I always get the Bad Key message! Once the Same
file is encrypted with a passphrase with no composed characters And No
altgr characters everything is ok! the file is decrypted with no
problem. I've done some testing and used Centos 6 CLI mode only,
Centos 7 with x, Ubuntu (several versions) , Kali Linux, Tails ... you
name it.

Worst. On my computer I switched to a new session with LXDE as the
desktop and ... the result was the same! The file I could decrypt in
my KDE session I was not able to decrypt on the same computer o on the
LXDE session. Same old bad key error.

Of course this may be realted to the way those chars are "interpreted"
between different environments. Or could this be a gpg bug?

Also I must alert you good folks that this is for me of Paramount
importance since increasing the character space of a passwrod is
Hugely important to increase the security. It's also a big big hurdle
if I can not have inter-environment compatibility. It really really
is annoying ... and higly curtails a lot of the power contained in
gnupg ..

Can anyone try to explain why this happening ?

Event Timeline

neal added projects: gnupg, Bug Report.Jun 5 2015, 6:05 PM
neal added a subscriber: neal.
werner added a subscriber: werner.Jun 8 2015, 12:47 PM

GnuPG takes the passphrase as a verbatim string of bytes. It does not do any
recoding. I have not looked into the deatils why this is not working for you.

The workround is to use "gpg --passwd" on the old system to change the
passphrase to ascii-only, switch to the other system, and if you want change the
passphrase again.

FWIW: The PKCS#12 import of gpgsm has a similar problem. There is no agreeement
on how passphrases are encoded and thus all tools do whatever they like. To
mitigate that gpgsm has a list of common encodings and on import failure it
tries using a different encoding. If that encoding problem on gpg evolves into
a common problem, we might build a tool which tries to re-encrypt a passphrase.

bernhard added a subscriber: bernhard.Jun 23 2015, 4:25 PM

----------Original Message----------
From: Pedro Coelho <pedro.msac@gmail.com>
Sent: Friday 19 June 2015, 14:55:41
To: gnupg-devel@gnupg.org
Subject: Issue 1998 Extended and Composed Characters on password.

Hi ,

Sorry to come up again with the same issue.
I posted some weeks ago an issue about gpg that I have detected while
working with gpg on Multiple/Cross systems.

This was passed to the bug tracking system as T1998.
I do not seem to be able to reply/follow-up on the bugtrack system so I
hope to contribute in here for the same issue.

I have tested to encrypt a file with a password that as several types of
characters, ascii, extended and composed.

As stated in the previous email listed below:

T1998

I was able to narrow down the problem to Composed Characters on the
password.

That is if one uses extended characters like the ones resulting from using
<altgr> or <altgr>+<shift> and try to decrypt the file on a different
OS/Computer, obviously the same keyboard layout must be present.
If the characters showing up on the CLI are the same as the ones used on
the password ... no problem for gpg to work correctly.

I made some tests passing the same file to Multiple Distros installed and
reached the conclusion that extended character support is not always
reliable to say the least ... but it can work.
For instance on Centos7 minimal with the exact same keyboard layout the
characters shown on display are not the same as in my default OpenSuSE 13.2
or Ubuntu. But once they are found gpg can decrypt the file.
That is an issue not of gpg but rather of the available mappings an Locales
on those particular systems. One as to simply be advised for those issues
in case of using gpg in multiple environments.

But problems do not stop there.
I have narrow down the problem of the decrypt bad key error to the Composed
Character.
If one uses composed characters problems keep showing up.

I used on the Same PC two sessions: One normal OpenSuSE KDE environment,
the other LXDE environment.
I noticed that on the LXDE session when using extended altgr/altgr+shift
chars I was able to decrypt my file.
The problem came about when dealing with Composed characters ... those
where a Symbol and a regular Character are composed.
Those who write in English most likelly never used such characters ... like
ã or õ. (don't even know if they even display correctly on your email
reader ... )

Those are a problem since in different systems Even with the same Locale
keyboard layout and Locale the use of a single composed chars can be
"misinterpreted".
On pinentry I've also seen for example when trying to enter a composed
character the box showed a double entry ...two chars (asteriscs) instead of
one ...

So this may indeed be a OS/Locale problem rather then a gpg problem ...

bernhard added a subscriber: p_msac.Jun 24 2015, 9:25 AM
werner added projects: Not A Bug, pinentry.Jun 25 2015, 2:59 PM
werner lowered the priority of this task from Normal to Low.Jan 15 2016, 4:44 PM
marcus closed this task as Invalid.Jul 7 2017, 1:39 AM