riseup.net OpenPGP Best Practices article

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jul 4 05:22:27 CEST 2014


On 06/28/2014 12:09 AM, Robert J. Hansen wrote:
> When faced with that, it's only a matter of time until Alice decides to
> put 3DES first in her own preference list.  And then all her
> communications to Bob have 112 bits of keyspace, not the 256 Bob
> demands.

I think you're talking about personal-cipher-preferences here, which
Alice uses to govern the cipher she uses.  Note that she could even put
IDEA first here.  Are you suggesting that she *removes* all other cipher
algorithms from her advertised preference list as well, or does she
actually advertise all ciphers her openPGP implementation is capable of?

> And unless Bob is paranoid enough to check the symmetric
> algorithm used on every single encrypted message, Bob will never know
> that Alice's communications to him have been degraded.

well, OK.  Alice could also publish the cleartext on her blog, and Bob
would never know it if he doesn't read her blog.  Bob can't control what
Alice does; what he can do is to advertise his preferences in a
cryptographically-verifiable way, and set *his own*
personal-cipher-preferences to prefer stronger ciphers.

then, unless Alice has actively removed all ciphers from her advertised
preferences except for 3DES, Bob's personal-cipher-preferences will take
precedence in the messages that he sends.

I feel like i shouldn't have to point this out, but:

 * This is what the best practices page we've been discussing is suggesting.

This is the right thing to do, and Bob should do it, regardless of
whatever bad advice Alice has bought into.

Arguing that it's hopeless/pointless/harmful to prefer stronger ciphers
yourself because one of your correspondents might be tricked into
disabling stronger ciphers makes no sense from either a security or
interoperability perspective.  I'm really sorry to hear about your
graduate student debt, Rob, but this is not the best way to pay it off :P

> Werner and others are absolutely right: there is no *technical* way to
> degrade things to 3DES.  But given that cipher preference lists are
> fundamentally a *human* decision, well... the human being is always
> exploitable.

Of course.  And we should make our defaults better and encourage
stronger mechanisms for everyone, instead of trying to claim that using
well-known, widely-adopted, clearly-specified, longstanding algorithms
is somehow "breaking the spec".

I'm sure you're not trying to claim that AES is actually a worse cipher
than DES, or that members of the SHA-2 family are actually worse digests
than SHA-1.  So i think the scenario you paint above reinforces the
points made by the riseup best practices document.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140703/1cabb912/attachment.sig>


More information about the Gnupg-users mailing list