3DES special case [Was: Re: --blacklist-digest-algo plans]

David Shaw dshaw at jabberwocky.com
Fri May 8 01:40:18 CEST 2009 

On May 7, 2009, at 5:52 PM, Daniel Kahn Gillmor wrote:

> On 05/07/2009 01:25 PM, David Shaw wrote:
>> We effectively have this now.  If you take the cipher out of both  
>> your
>> on-key preferences and your personal-cipher-preferences, then other
>> people will not use it when encrypting to you, and you will not use  
>> it
>> when encrypting to other people.  GPG will even print a warning if
>> someone uses it to encrypt to you ("WARNING: cipher algorithm
>> such-and-such not found in recipient preferences").
>>
>> The only difference I see between this and a possible
>> blacklist-cipher-algo is that presumably you could blacklist 3DES,  
>> which
>> you can't remove from preferences.
>
> Why not emit a warning if 3DES is not in the preferences either?  the
> RFC says MUST-Implement, not MUST-NOT-Warn.

The RFC says that you must implement 3DES, and also that 3DES is  
always in the preferences.  If it's not actually there, then the  
implementation needs to pretend that it is.

> Currently, gpg implements CAST5, but if you --encrypt --cipher-algo
> CAST5 to someone whose preferences don't list CAST5, you get a  
> warning.
> And if you --decrypt something over CAST5, and it is not explicitly in
> your preferences, you get a warning.

Yes.  Because the protocol was violated.  The protocol, by definition,  
is never violated by using 3DES as 3DES is always in every preference  
list.  It can't be removed, because even if you remove it, the  
implementation is required to pretend it was there.

That said, you don't need to torture the standard to accomplish what  
you want.  If you want to print a warning on 3DES, or SHA-1, or even  
because it just happens to be Thursday, any implementation can do that  
without needing to justify it somehow in the standard.  Whether it is  
wise or not is a different question.

> Why not treat 3DES the same way?  sure, we know that RFC-compliant
> OpenPGP implementations will be able to handle it.  But if someone has
> explicitly stricken it from their preference list, that probably means
> they'd rather not receive 3DES-encrypted messages.  A warning seems
> reasonable to me.

I strongly disagree.  You can't make such an assumption for the entire  
OpenPGP community, especially as it warns on something that was  
completely normal, expected, and good behavior previously.  This might  
make sense if the behavior was no longer expected and good, but that  
is not the case.  Not only has 3DES not been cracked, it's stood up to  
more attacks than any of the other ciphers in OpenPGP.  The main  
problem with 3DES is that it's really slow.

> FWIW, i just added "disable-cipher-algo 3DES" to my ~/.gnupg/gpg.conf
> today to see what happens.  i'm aware that this drastic step makes gpg
> non-RFC-compliant, but it's the closest i can currently come to  
> getting
> it to represent my actual cipher preferences.

This is a perfectly fine thing to do.  You're sort of aiming a gun at  
your foot, true, but it's *your* foot and nobody else's.  In practice,  
given somewhat recent OpenPGP implementations, and keys with somewhat  
recent preferences, I doubt you'll see 3DES used that often.  Too many  
people rank AES higher.

David

More information about the Gnupg-devel mailing list