getting rid of blowfishes

L. Sassaman rabbi@quickie.net
Sun, 30 Apr 2000 17:04:19 -0700 (PDT) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 30 Apr 2000, cFischer wrote:


> On Sun, Apr 30, 2000 at 02:25:20PM +0200, Werner Koch wrote:

> 

> > ElGamal S+E keys are fully OpenPGP compatible and GnuPG avoids the

> > problems.  I don't suggest to use them, however some folks feel like 

> > it is a good idea to have a fallback algorithm.

> 

> so what _are_ the well known probs with elgamal s+e which gnupg avoids?


ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/ElGamal.ps discusses
the signature verification problem. This is the one that concerns me most,
since GnuPG users have no control over what the recipient's OpenPGP
program is. 

However, there is also an issue with key generation. From RFC 2440:

   If an Elgamal key is to be used for both signing and encryption,
   extra care must be taken in creating the key.

   An ElGamal key consists of a generator g, a prime modulus p, a
   secret exponent x, and a public value y = g^x mod p.

   The generator and prime must be chosen so that solving the discrete
   log problem is intractable.  The group g should generate the
   multiplicative group mod p-1 or a large subgroup of it, and the
   order of g should have at least one large prime factor.  A good
   choice is to use a "strong" Sophie-Germain prime in choosing p, so
   that both p and (p-1)/2 are primes. In fact, this choice is so good
   that implementors SHOULD do it, as it avoids a small subgroup
   attack.



> > Blowfish is a well respected algorithm and has been used by the first

> > PGP 5 version.  It is faster than CAST-5 and OpenPGP compatible. 

> > Twofish is not yet OpenPGP and not in wide use mainly because NAI 

> > refused to accept most OpenGPG WG suggestions because they don't want

> > to implement it in their product. 

> 

> i guess it was rabbi who said blowfish isn't all that well reviewed.  you

> see, the problem with my less thna profound background in math is that i

> have to trust the reviewers.  could someone please be nice enough to give a

> comparison of the symmetric/asymmetric ciphers implemented in gnupg?


Well, that's not exactly what I said. I said that Blowfish wasn't as
respected as some of the other algorithms, including Twofish (which is
newer, and thus has not had as much time to be reviewed as Blowfish.
Twofish is an AES candidate, though, so it has had a lot of scrutiny.)
 

> > with proprietary products.  If NAI wants to be compatible to GnuPG,

> > they should fix PGP:  I guess they have far more developers than we.

> 

> -*- YES! -*-


And certain things, like Blowfish and ElGamal signing keys, won't ever be
in PGP... so I don't think it would be unreasonable for there to be a note
about this in GnuPG (i.e., "Don't use this if you need/want compatability
with PGP).

__

L. Sassaman

System Administrator                |  
Technology Consultant               | "To hold a pen is to be at war." 
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |                    --Voltaire







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5DMoLPYrxsgmsCmoRAr++AJ4sxQV9ozSyAefjq/sfHBC4uA7JkgCcC6YQ
+GihHn2BRD3FNx9NmcZxfkg=
=GNYD
-----END PGP SIGNATURE-----