Non-cipher preferences (Was: Re: --override-session-key $PASS simple brute force attack vulnerability?)

David Shaw dshaw@jabberwocky.com
Mon Jul 15 23:55:01 2002 

On Mon, Jul 15, 2002 at 09:06:59PM +0000, Brian M. Carlson wrote:
> On Mon, Jul 15, 2002 at 09:33:38AM -0400, David Shaw wrote:
> > On Mon, Jul 15, 2002 at 11:46:17AM +0000, Brian M. Carlson wrote:
> > > You can see my preferences here:
> > > 	Cipher: 3DES, BLOWFISH, CAST5, AES192
> > > 	Hash: RIPEMD160, TIGER192, SHA1 (that is a nasty extra SHA1 that
> > > 	shouldn't be there)
> > > 	Compression: ZLIB, ZIP, Uncompressed
> > > 	Features: MDC
> > 
> > No, that SHA1 is required by the OpenPGP protocol.  You can put other
> > hashes in front of it if you prefer, but you can't get rid of it.  The
> > same thing applies to the 3DES cipher, and the "Uncompressed"
> > compression type.
> 
> I disagree. I am using as my reference 2440 bis05. Section 12.1
> specifically states that "Since TripleDES is the MUST-implement
> algorithm, if it is not explicitly in the list, it is tacitly at the end.
> However, it is good form to place it there explicitly." Section 12.2
> states merely: "Other algorithm preferences work similarly to the
> symmetric algorithm preference, in that they specify which algorithms
> the keyholder accepts." 12.2.1 merely states that an implementation MUST
> recognize when to send an uncompressed message, and that if "the
> preferences are not present, then they are assumed to be [ZIP(1),
> UNCOMPRESSED(0)]." Note that says if they are not present. 12.2.2 is
> silent on requiring anyone to use any algorithm.

That's interesting.  To me, 12.2 means the opposite of your
interpretation - they also have the implied addition of the MUST
algorithms.

Look at it in terms of functionality.  Let's say I'm encrypting a
message to you, and the question arises whether to compress it, and
what algorithm to use.  I consult your compression preferences and see
that you allow ZLIB only.  My implementation can only do ZIP.  Now we
cannot communicate.  The answer is, of course, to not to compress -
which would violate your interpretation of the RFC.  Again: if I do
not use the implied "uncompressed" setting at the end of your list,
then we cannot communicate at all.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson