riseup.net OpenPGP Best Practices article

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jul 4 07:01:23 CEST 2014

On 07/04/2014 12:08 AM, Robert J. Hansen wrote:
> Bob is all about "I must have at least 256 bits of keyspace in all my
> email!"  But Bob can't do that, because Alice can *always* degrade him
> to 112 bits by choosing 3DES.

Of course.  And Alice can always send Bob cleartext too.  does that mean
that Bob shouldn't offer any encryption key at all because there's no
guarantee that it will be used?

> And since Bob is the target, and since
> we're assuming the enemy is well-financed and professional and capable
> of tricking people, Bob needs to stop thinking he can somehow guarantee
> 256 bits of keyspace in his emails.

stronger keys are not about guaranteeing any particular level of
security -- they are about *permitting* that level of security (or, more
likely, about providing that much larger of a buffer against unknown
mathematical advances), should the other actors in the game do something

GnuPG's current default of a 2048-bit RSA key is roughly 103-bit
symmetric equivalent.  When using keys of that size, breaking the key is
more likely to be accessible to a well-funded attacker than breaking the
symmetric cipher itself.  And consider the value of the different parts
of the cryptosystem: breaking the asymmetric key lets you break all the
ciphertexts ever encrypted to that key, whereas breaking the symmetric
cipher only allows access to a single ciphertext...

> "Using long certificates *may* give a larger effective keyspace, but
> really, you can only ever be certain of 112 bits of keyspace, so you
> should design your security model such that it only relies on 112 bits
> of keyspace" is accurate.

Except that you can't even rely on 112 bits of keyspace at all.  even if
alice doesn't just send cleartext, she could select bad keys for 3DES,
or have a compromised RNG, or lots of other failure modes.  You can't be
certain of any of it.  What you *can* do is offer stronger keys so that
the buffer against attack is able to be larger should the other aspects
hold up.

> But I think if long certificates were to be
> marketed that way, a lot of people would blink a few times and ask,
> "well, what's the point, then?"

let's look at it the other way: if you do assume that the symmetric
ciphers in use give you 112-bit security, wouldn't a lot of people blink
a few times and ask "well, why would use an asymmetric key with 1/500th
the resistance to brute force attack?"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140704/98283dfe/attachment-0001.sig>

More information about the Gnupg-users mailing list