Non-cipher preferences (Was: Re: --override-session-key $PASS simple brute force attack vulnerability?)

Brian M. Carlson
Mon Jul 15 23:06:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 15, 2002 at 09:33:38AM -0400, David Shaw wrote:
> On Mon, Jul 15, 2002 at 11:46:17AM +0000, Brian M. Carlson wrote:
> > You can see my preferences here:
> > 	Cipher: 3DES, BLOWFISH, CAST5, AES192
> > 	Hash: RIPEMD160, TIGER192, SHA1 (that is a nasty extra SHA1 that
> > 	shouldn't be there)
> > 	Compression: ZLIB, ZIP, Uncompressed
> > 	Features: MDC
> No, that SHA1 is required by the OpenPGP protocol.  You can put other
> hashes in front of it if you prefer, but you can't get rid of it.  The
> same thing applies to the 3DES cipher, and the "Uncompressed"
> compression type.

I disagree. I am using as my reference 2440 bis05. Section 12.1
specifically states that "Since TripleDES is the MUST-implement
algorithm, if it is not explicitly in the list, it is tacitly at the end.
However, it is good form to place it there explicitly." Section 12.2
states merely: "Other algorithm preferences work similarly to the
symmetric algorithm preference, in that they specify which algorithms
the keyholder accepts." 12.2.1 merely states that an implementation MUST
recognize when to send an uncompressed message, and that if "the
preferences are not present, then they are assumed to be [ZIP(1),
UNCOMPRESSED(0)]." Note that says if they are not present. 12.2.2 is
silent on requiring anyone to use any algorithm.

That is only required for symmetric cipher preferences. 12.2 says that
other algorithm preferences work similarly in that they specify
preferential algorithms, not in that the MUST-implement algorithm is
tacitly at the end. Those preferences should only be in place when a
user neglects to create appropriate preferences, IMO.

Brian M. Carlson <> <> 0x560553=
The meek shall inherit the earth; the rest of us, the Universe.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.