Detecting PGP 2.6.x keys

David Shaw dshaw at jabberwocky.com
Fri Sep 17 14:24:40 CEST 2004 

On Fri, Sep 17, 2004 at 08:48:21AM +0200, Johan Wevers wrote:
> David Shaw wrote:
> 
> >Why should he?  In most of the world he can't even use IDEA legally
> >without a licence.
> 
> In most cases use will be non-commercial so there shouldn't be a problem.
> In other cases I wouldn't care. I've never heard of Ascom-Tech suing
> anyone for breach of the IDEA patent.

Using something legally and using it hoping (or even expecting) not to
be sued are not the same thing. ;)

> >This isn't his problem (over 90% of the userbase).
> >This is user A's problem (less than 10% of the userbase).
> 
> You wrote these 90-10% numbers come from counting keys on a keyserver.
> But I disagree with your assesment of the number of abandoned keys:
> considering the use of pgp 2.x among people who are more knowledgeable
> about encryption, I think there are relatively less abandoned keys among
> those 10% than among the 90% v3 keys. Especially among the keys created
> with all default parameters among those 90%.

I would expect that the use of pgp 2.x would be less among those
knowledgeable about encryption, given the list of problems (using MD5,
small key sizes, fingerprint forgery, keyid forgery, etc), plus that
it doesn't interoperate well with the rest of the world (encryption is
great, but not if you can't actually use it to communicate) There are
certainly a number of 2.x die-hards who simply will never change over,
and that's fine for them, but that should not stop progress for
everyone else.

In any event, let's play with the numbers a bit.  I misremembered the
statistics when I wrote that email.  It's actually *worse* for V3
keys: slightly over 95% for V4 keys and slightly under 5% for V3.

Stats as of May 2002 (as per
   http://lists.alt.org/pipermail/pgp-keyserver-folk/2002-May/001853.html):

      V2 keys 18159
      V3 keys 143068
      V4 keys 3055126

These are stats from 2002, but I'd be pretty shocked to see that V3
keys grew at a faster rate than V4 between then and now.

For the sake of argument, let's pretend the V2 keys are V3 keys.  What
percentage of the V3 keys do you think are still in use and not
abandoned?  What percentage of the V4 keys?  It would have to be a
pretty large percentage of V3 and a pretty small percentage of V4 to
justify making rather significant changes to GnuPG.

> >In any event, this is not a useful suggestion.  When working on GnuPG,
> >I have to follow the OpenPGP standard.
> 
> But that doesn't prevent decrypting pgp 2.x messages. And I hope it stays
> that way (since you fixed the error in 1.3.6 I hope it still is).

IDEA often prevents decrypting a PGP 2.x message, but in any event, my
comment was in regards to generating a message to more than one user.
Decryption is not usually a problem (either it works or it doesn't -
it does not harm other users in the process).

My comment was that given a case of user A with PGP 2.x, and user B
with anything else, there is effectively no way to encrypt that will
definitely work for them both.

The problem is this: PGP 2.x breaks on anything it doesn't understand.
This includes an encrypted session key.  Thus, given the case if user
A has PGP 2.x and user B has anything else, if user B has an RSA
encryption key, AND it is less than 2048 bits long, AND they have
IDEA, then it is possible to encrypt to both.  Anything else will
break PGP 2.x.

If all the OpenPGP users would agree to using <=2048 bit RSA keys and
either buy IDEA, use it non-commercially, or use it illegally, then
we'd be set. ;)

Since there is (effectively) no way to generate a message that is
usable for both users, this pretty much demands using two different
messages, and encrypting twice, once for each user, and that is
something that really belongs outside of GnuPG.

> >There is absolutely no requirement in OpenPGP that a client supports IDEA,
> >and therefore I cannot assume that a client supports it either.
> 
> That is a very formal way of reasoning. Anything except 3DES is not
> required, but that doesn't mean it can't be used. Now, if I were
> advertising some obscure module noone uses except for testing (like the
> Skipjack module), I would agree. But not in this case. IDEA is too much
> used in the field to be simply ignored (and the GnuPG developers do
> acknowledge that, otherwise there wouldn't be an IDEA module and all
> this discussion).

There are certainly other ciphers there, but OpenPGP has a preferences
system to give guidance as to what ciphers are usable for a given key.
This prevents one user from encrypting something in a way that the
recipient cannot handle.  Using a cipher (IDEA or otherwise) in
violation of the preferences violates OpenPGP ("An implementation MUST
NOT use a symmetric algorithm that is not in the recipient's
preference list").

In any event, like I said, it's not just IDEA.  It's RSA, it's key
size, etc.

David

More information about the Gnupg-users mailing list