riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Thu Jun 26 22:06:25 CEST 2014 

On 6/26/2014 11:26 AM, Daniel Kahn Gillmor wrote:
> The pushback of "don't bother using stronger crypto, something else
> will be your problem" seems silly to me.  It's like saying "don't
> bother fighting sexism, people are going hungry!"  We can (and
> should) push on all of these fronts concurrently.

I've been writing and rewriting this several times now: I'm not sure if
I've found diplomacy here, but there comes a point where you have to say
"screw it" and hit send.

Four of the best guiding principles I've found are:

	1.  Design the system as if the bad guys control
	    everything that is not an immediate game-over.
	2.  Assume the bad guys will degrade your system in
	    the most damaging ways possible (subject only
	    to #1).
	3.  Your level of protection is defined by your
	    resistance to the enemy's worst skulduggery,
	    not your performance in the absence of
	    skulduggery.
	4.  Just because you define something to be an
	    immediate game-over doesn't mean the enemy can't
	    do it -- it just means you can't defend against it
	    and for that reason aren't covering it.

One of the justifications you give for your faith in increased key
lengths is "[RFC4880] also encourages people to advertise preferences
for stronger ciphers, so correspondents using tools which respect those
advertised preferences (like GnuPG) *will* get the increase in strength
described."

But see #2 above, though.  The bad guys will degrade your system in the
most damaging ways possible, subject to the assumptions we make in #1.
Since it's possible to degrade the cipher preference to 3DES, we need to
assume that's exactly what will happen.  (Your next objection is "How?".
 That's a non-sequitur right now.  I believe serious adversaries can do
this because (a) there's no mechanism to prevent them from doing it, and
(b) system degradation is such a bog-standard attack vector that I can't
believe they haven't already thought up ways.  Whether *I* have thought
up ways is irrelevant.)

People should feel free to use cipher preferences, but they shouldn't
have any expectation that it matters a damn.  The most you can guarantee
out of it is 3DES with 112 bits of keyspace: everything beyond that is a
gift from your enemy.  If your security model depends on using
Camellia256, then you need to use something other than OpenPGP, because #3.

More information about the Gnupg-users mailing list