encryption algorithm

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Dec 18 03:20:49 CET 2013 

On 12/17/2013 08:27 PM, Robert J. Hansen wrote:
> Yes -- but no one is claiming that 112-bit keyspaces are vulnerable
> today, or at any time within the near future.  Further, moving to a
> 128-bit keyspace is not, IMO, any sort of a real win: you're only
> gaining 16 bits of keyspace.  At most you're pushing things back for a
> few years; it is not any kind of a long-term solution.

from ≈20 years to ≈30 years, if we believe ECRYPT.  Of course it's not a
forever solution.  It's still a significant improvement, and its one we
can afford.

>> If we want to "even out" the crypto so that no one part is clearly
>> weaker to attack than the others, we ought to to increase our RSA
>> keylengths by default.
> 
> Whoa there a second!  You might want to backspace and overstrike that,
> because you just shifted to arguing that "since GnuPG defaults to
> AES-256, we need to use RSA-15000 by default otherwise the asymmetric
> portion will clearly be weaker to attack than the others."
> 
> We don't want to even out the cryptosystem.  We want to ensure that each
> component of the cryptosystem meets or exceeds our minimum standards for
> cryptanalytic resistance -- but the notion of "evening out" the system
> is, as near as I can tell, fashionable nonsense.

sigh.  "weakest link" analysis is clearly useful, and just as clearly
not the only analytic tool to use.

I argued: right now gpg's weakest links are the default RSA key length
and the digest used in cryptographic certification.  Let's improve them
both.

Your argument in response seems to be "whoa! if we improve them all the
way to the symmetric cipher length it would be computationally infeasible!"

This is not an argument for not improving the weakest link.  I agree
with you that RSA doesn't scale well computationally as we approach
equivalence to 256-bit symmetric ciphers.  I'm not suggesting we take
that step.

>> Do we want the asymmetric key length to be the weakest link for users
>> of GPG's default choices?
> 
> Unless we move to RSA-15000, it will be.

so, how much weaker are you ok with?  3072-bit keys are functional and
available now, and even according to NIST's standards (i'm glad you
still feel they're trustworthy, even in the context of them having
issued a deliberately bad RNG, and their keylength recommendations being
weaker than everyone else's!)

> I agree that a stronger asymmetric component would be nice, but I don't
> believe RSA is the way to go.  We're already on the brink of introducing
> ECC support into GnuPG.  I think that once ECC support is introduced in
> the mainline, it will then be an appropriate time to revisit the
> question.  I would support shifting to stronger asymmetric component(s)
> at that time, but I don't think it's worth the headache of changing the
> defaults if we're just going to change them *again* in under a year.

Of course when ECC is available, we may want to shift to ECC.  But ECC
is not currently available, and even when it becomes available, RSA will
be the dominant key type for years.

This is a terrible argument for not improving the default RSA key length
today.  It costs very little to change the default, and it signals the
user community that we take the existence of well-funded adversaries
seriously.

[from your other followup]
> I am not in favor of covering more than 'virtually all users' and
> 'virtually all purposes.'  The difference between 99% of GnuPG's users
> and 100% of GnuPG's users is, first of all, impossible to close, and
> second of all, requires ever-increasing expense just to approximate it.

We're engineers talking about building safety and security
infrastructure here.  Of course we may not get it right; bridges built
with what they thought was a 200% safety margin have collapsed due to
unforeseen factors.  But we can make sure that we build in what we
currently believe is a safety margin beyond what we believe anyone
*should* need, and it is the responsible thing to do.  Targeting exactly
at the 99% percentile is irresponsible when we can safely and reasonably
overshoot.

To be clear: i'm not advocating for moving to 15000-bit or 30000-bit RSA
keys by default.  I'm advocating having a baseline
128-bit-symmetric-equivalent security by default, on all aspects of the
cryptosystem.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131217/4fe23a82/attachment.sig>

More information about the Gnupg-users mailing list