GnuPG cannot decrypt an ECDH-AES128 message encrypted to Alice's Key from draft-bre-openpgp-samples-00
Closed, ResolvedPublic

Description

The reference key labeled as "Alice's OpenPGP Transferable Secret Key" in draft-bre-openpgp-samples-00 is an EdDSA key, with Symmetric algorithm preferences [AES256, AES192, AES128, TripleDES]. GnuPG can correctly perform encrypt/decrypt roundtrips using this key, using AES256.

We provide a ciphertext encrypted to Alice's public key, but using AES128. This ciphertext was generated with github.com/ProtonMail/crypto and is decryptable by other implementations, however, gpg cannot decrypt:

$ gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
$ echo "Enc/Dec roundtrip proof" | gpg --encrypt --recipient "Alice Lovelace" | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID 4766F6B9D5F21EB6, created 2019-01-22
      "Alice Lovelace <alice@openpgp.example>"
Enc/Dec roundtrip proof
$ gpg --decrypt ciphertext.asc
gpg: encrypted with 256-bit ECDH key, ID 4766F6B9D5F21EB6, created 2019-01-22
      "Alice Lovelace <alice@openpgp.example>"
gpg: public key decryption failed: Wrong secret key used
gpg: decryption failed: No secret key

Possible cause
This might be related to unsupported size-obfuscation PKCS5 paddings (see 13.5 of the draft).

OS information:
Distributor ID: Ubuntu
Description: Ubuntu 19.10
Release: 19.10
Codename: eoan

Details

Version
2.2.12
werner edited projects, added OpenPGP; removed Bug Report.Apr 17 2020, 12:10 PM
werner closed this task as Resolved.
werner claimed this task.
werner added a subscriber: werner.

Sorry, I don't know what kind of sample data that is. The reference keys have been provided by the RFC6637 author and are part of GnuPG's test suite; see (gnupg/tests/openpgp/samplekeys/ecc-sample-*).

The size obfuscation is not well defined in 6637and the reference code did not support it. However, we recently allowed for longer padding; see T4908.