Non-cipher preferences (Was: Re: --override-session-key $PASS simple brute force attack vulnerability?)

Brian M. Carlson karlsson@hal-pc.org
Mon Jul 15 23:06:02 2002 

--hcut4fGOf7Kh6EdG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 15, 2002 at 09:33:38AM -0400, David Shaw wrote:
> On Mon, Jul 15, 2002 at 11:46:17AM +0000, Brian M. Carlson wrote:
> > You can see my preferences here:
> > 	Cipher: 3DES, BLOWFISH, CAST5, AES192
> > 	Hash: RIPEMD160, TIGER192, SHA1 (that is a nasty extra SHA1 that
> > 	shouldn't be there)
> > 	Compression: ZLIB, ZIP, Uncompressed
> > 	Features: MDC
>=20
> No, that SHA1 is required by the OpenPGP protocol.  You can put other
> hashes in front of it if you prefer, but you can't get rid of it.  The
> same thing applies to the 3DES cipher, and the "Uncompressed"
> compression type.

I disagree. I am using as my reference 2440 bis05. Section 12.1
specifically states that "Since TripleDES is the MUST-implement
algorithm, if it is not explicitly in the list, it is tacitly at the end.
However, it is good form to place it there explicitly." Section 12.2
states merely: "Other algorithm preferences work similarly to the
symmetric algorithm preference, in that they specify which algorithms
the keyholder accepts." 12.2.1 merely states that an implementation MUST
recognize when to send an uncompressed message, and that if "the
preferences are not present, then they are assumed to be [ZIP(1),
UNCOMPRESSED(0)]." Note that says if they are not present. 12.2.2 is
silent on requiring anyone to use any algorithm.

That is only required for symmetric cipher preferences. 12.2 says that
other algorithm preferences work similarly in that they specify
preferential algorithms, not in that the MUST-implement algorithm is
tacitly at the end. Those preferences should only be in place when a
user neglects to create appropriate preferences, IMO.

--=20
Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553=
E7
The meek shall inherit the earth; the rest of us, the Universe.

--hcut4fGOf7Kh6EdG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQEVAwUBPTM5cuWR/8lWBVPnAQM8kQgAgy6czEB6iZBcLlB6a5Hd2Ndls4HF5u8V
8U3XoF3Rj2yFL5q1cs1rHOxhQzerO7kPHzpbKnEq0v87ojD+6I0UOjxL4Uv7TyVs
vN3OoFFdTDxL3ERaFR3Hqu77jBqQwvuhyNeEvH5curk2YpGTPY72w4p2aqwaS1FI
2JJChdKKT7WkYNq5Ba9UIh+wy+Xx4ZLGSkuyj5tyiTI9BgWd8rBwyY7cqkSeg0fO
VM+CnmLVR3kRpJTcdjnzediSagbcA72wMn7XtPAQo4twqrpCe0qUT8+S5g2d+m2v
Ztd2UItja3IrXiC/1NFPIKS3UzCOuX2SEcpzi8hyqQnWi60OTt4/Og==
=pisL
-----END PGP SIGNATURE-----

--hcut4fGOf7Kh6EdG--