Which type of key should I choose and why?

Paul L. Allen pla@softflare.net
Mon, 16 Oct 2000 01:11:00 +0100

[I'm not subscribed to the list, pleas Cc me a copy of replies]

On Sun, Oct 15, 2000 at 11:01:41PM +0100, David Pick wrote:

> > On Sun, Oct 15, 2000 at 08:29:59PM +0100, David Pick wrote:
> > > Because if it's "sign-only" it can't be used for encryption. If it
> > > can't be used for encryption the British police can't serve you
> > > with a notice under RIPA requiring you to reveal it.
> >
> > I take it you meant "RIPE" and that was a typo.
> No, I meant the "Regulation of Investigatory Powers Act".
I just double-checked. I knew it wasn't RIPA. The official acronym appears to be RIP. Which is very apt, because our freedom and privacy will be RIP once it's in force.
> > They'll still suspect
> > that you have an encryption key (possibly signed by your sign-only key)
> > hidden elsewhere.
> Sure. Which is why I suggest actually using a pair of keys (well, of
> course, in a public-key system a pair of key-pairs) so that if you
> *do* (eventually!) reveal the encryption key you don't compromise the
> signature key.
That makes sense. To a degree. I'm uncertain about the practicability of wiping out the signing key before they manage to kick the door in.
> > > So they can't use it to forge your signature on anything incriminating.
> >
> > That's the least of your worries about RIPE. Perpetual imprisonment is
> > another.
> <snip>
> > at that point you'll hand your key over,
> > because they'll just keep going if you don't.
> Oh, I know. I'm just trying to point out why signature-only keys can
> help protect your signatures if nothing else. BTW the notices *can* be
> challenged, but the onus is on you to justify the refusal.
In theory, there's no difference between theory and practise; in practise there is. Theoretically you can challenge, but actually succeeding with a challenge is unlikely.
> I suspect we'll see the rise of another form of "Trusted Third Party" of
> independant forensic experts to whom you could reveal your key without
> the Police (or spooks) getting hold of it, but who would be trusted by
> the Police, or more importantly the Courts, to verify that all encrypted
> data on your computer can be decoded by the set of keys you revealed,
> and to provide cryptographically signed(!) copies of the plain text
> to both parties.
While it would be nice for those of us who are not criminals but do wish to keep our privacy, I don't see the gov't allowing it. They don't just want your past traffic, they want anything that might come your way in the future.
> Steanography is a whole different problem...
Yep. True criminals, of course, will use different methods completely. They are generally part of a small circle who meet initially so it's feasible to use a code rather than a cipher. One that would not arouse suspicion in mail would have to have a large dictionary of alternate sentences for each concept to be coded and some sort of intelligence to choose loosely-related sentences in a single e-mail (remembering to delete sentences after using them. So that: Mary finally had her baby. It was premature and weighed 3lb 6oz. Might mean "the job is on; next saturday at 4:15". Of course, read as a whole, the e-mail would look like it was written by a moron with low attention span and poor memory, but there are many loons on usenet whose posts are less coherent than that. Maybe some of those loons are actually foreign agents using that sort of system to communicate with their masters. Perhaps Gnu could come up with a package like that. By giving criminals uncrackable encryption which is not a cipher it would completely kill that argument by the govt that they need to be able to demand keys from the rest of us since only criminals would find that method of encryption practicable. They could call it GnuSternlight, since it would resemble Sternlight's posting style. They could produce a low-bandwidth (not as wordy, or as coherent) version called Gnukeegan ("*chuckle* i expected you to say that, my little puppy").
> > > If you want both you should use a pair of keys, one for
> > > encryption and the other for signatures. That way, if you are
> > > unlucky enough to get such a notice you can reveal only the
> > > encryption key (if you're prepared to do so rather than get charged).
> >
> > See above. Refusing to hand over your encryption key effectively gets
> > you a life sentence if you're stubborn. If you're going to give in
> > eventually, sooner rather than later is a better option. Unless the
> > stuff you don't want them to see is time-sensitive in some way and you
> > can escape conviction for your real crime if you hide the details long
> > enough.
> Again, I agree. Which is why ... I would want to limit the damage to you
> and me if I decide I will (under protest!) reveal my encryption key(s).
Getting your encryption key also gives them traffic analysis. If we're at a stage where political dissent is effectively a crime then they don't need to discredit you by forging with your signing key, they just disappear you. Stage one is finding the dissenters by reading their mail; stage two is disposing of them. Once a gov't has the will to do that it doesn't need to resort to the artifice of forgery, it has the will and power to use blunter methods (like having some tame doctors declare you insane).
> Incidentally, I don't regard RIPA as all bad. Much is admirable. But
> someone's s**t-scared of encryption; and I suspect it's not the Police
> but but it's the spooks.
I'm pretty certain of it. The "criminals" argument doesn't hold up. The previous proposals about key escrow were revealing: you could use strong encryption without escrow if you were a defense contractor or equally important company (i.e., one the gov't could require had a tight security policy) and you used it on a UK-only private network. Putting it together, the spooks are behind this. Before PGP it was difficult to contact a foreign power if you were in a job with security implications. You can't phone their embassy - all the lines are tapped. You can't snail-mail them - all the letters are steamed open. You can't walk in - the entrance will be under photographic surveillance and the snaps compared with copies of ID cards. Etc., etc. Now the Kremlin just has to arrange their key appears in the Morning Star (don't try fingering kremvax for it because those packets will be sniffed and your IP address noted; maybe the response will be substituted too). Then you can use an anonymous remailer somewhere outside of UK/US effective control. That has the spooks *saying* this is a big problem. Gov't believes them and pushes through an idiotic bill, quelling any dissent by mentioning the security aspects to dissenting MPs. But it isn't that big a problem. The security services can counter it by setting up lots of double-agents who contact the KGB using PGP. They can use them to feed disinformation or to flush out sleepers. They can also use TEMPEST techniques and keyboard/computer bugging (since they're allowed to break in and plant bugs). It's intensive work, but feasible for a small number of criminals and suspected traitors. It just means they don't have the resources to spy on the rest of us. And they want an excuse to do that because the end of the cold war means most will be out of jobs unless they can come up with another excuse. Let's be blunt (or burgess, or philby, or mclean, or...) the biggest threat to our security has always been somebody high up in the security services. They have the opportunity to have private discussions with the other side under guise of performing their job. They have access to all sorts of sensitive info not just about secrets but about who could be blackmailed. RIP is going to damage our security by putting more juicy info on who can easily be turned by blackmail in their hands. This isn't really the right place for all that, but nobody else fighting RIP seems to have thought of it. They're all fighting the stated reasons behind it and that's a battle which can't be won because the reasons the spooks told gov't are far more persuasive. Only when you attack the faulty logic and falsehoods behind those will you stand a chance. Rant over...
> Notice, also, the similar-toned lack of a
> time-limit on revealing the existance of specific taps authorized by
> a Home Secretary's Warrent. *I* think that's even worse than the
> key notices. After all *they* are intended to apply if data is seized
> under other Police powers (like search warrents) and then found to be
> encrypted.
Apart from handing over encryption keys, it's pretty much formalizing existing practise. Of couse, if a specific tap under HS Warrant picks up encrypted traffic, you'll be forced to hand over your keys. This isn't about going after Ronnie Biggs or Gary Glitter, it's about spook-work. If it manages to also catch a petty criminal once every 10 years, that's a bonus. [...]
> > Thanks for your answers. You've cleared up the query about why
> > signature-only. Now all I need to know is under what circumstances
> > DSA+ElGamal is preferable to ElGamal (sign and encrypt) and vice
> > versa. Does it come down to being able to delete the signature key
> > if you're quick enough (to at least stop them forging stuff in your
> > name)? You still have to reveal your encryption key or face a life sentence,
> > and that's likely to be more incriminating if you're a real criminal.
> Er... I won't swear to this without consulting documentation I don't
> have at home, but I think the DSA keys *are* ElGamel keys coupled
> with the use of the DSA for actually using it. But IIRC DSA+ElGamel
> is a pair of key (pairs) as I discussed instead of one key (pair)
> used for both functions. DSA = one key (pair) and ElGamel = the other
> key (pair).
That's what I gathered. At a guess, in the first DSA is taking the place of MD5 from the original with EG in the RSA role and in the other option EG is being used both for encryption and cryptographic hashing. But I've yet to find anything confirming that guess or saying why one is preferable to the other.
> > Basically, I'd like to know if the difference between the options is
> > technical (this cipher or this signature algorithm is stronger) or
> > operational (you can delete one of the keys if you need to and have
> > the time and maybe have some degree of protection against some forms
> > or abuse by authority).
> Ah, now here's an interesting point. The lifetime of the key (pair) is
> a factor in how strong (long) the keys should be. In many ways signatures
> are both more sensitive *and* sensitive for longer than any individual
> encryption key. Especially signatures on other keys. So I'd always be
> inclined to use a longer and hence stronger key for a signature key
> than an encryption key.
Good thinking. That's certainly a good point. Using EG for both functions would therefore presumably mean either accepting weaker signing or more time-consuming encryption. But that's a pure guess which may be wrong. Basically, this is a weak-spot in the docs because users shouldn't have to puzzle it out for themselves or make guesses. It's as intrinsic to correct operation as choosing the right key size and that is covered in detail.
> > Come to that, now RSA let the patent go early,
> Only by about 10 days!
Whoops! The irony-lock key on this keyboard has stopped working. :-)
> > are there any advantages to
> > using that instead of the others?
> I suspect so - anyone breaking *that* maths problem is likely to get more
> publicity than the other one.
Which also means it's had more attention for longer.
> BTW: GnuPG now includes code for RSA keys
I noticed. But I don't know if EG got added to PGP because of technical superiority or to evade the patent difficulties that made it such a hassle to ensure you were using it legally. So I don't know if I should be using EG or RSA for encryption strength now that GPG offers both.
> but will only generate ones using version 4 packet formats, not the older
> version 3 packets. Given the advantages of v4 keys I think that's
> understandable.
Trouble is, one of the reasons I'm looking at GPG is for use with automated verification systems used by various domain registrars. They use PGP but don't say what version. I know I can get RSA and (somewhat dubiously) IDEA but I still don't know if that's enough to interoperate with what those registries are using. Or maybe DSA/EG is enough but the packet format will cause me problems.
> There's also module implementing the AES selection, Rijndael,
> already...
So I noticed, although I hadn't realized that was the AES selection. To be honest, if they're happy with it, I'm not, given the political constraints they probably operated under... --Paul -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org