riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Fri Jul 4 07:19:42 CEST 2014


> Of course.  And Alice can always send Bob cleartext too.  does that mean
> that Bob shouldn't offer any encryption key at all because there's no
> guarantee that it will be used?

It means Bob should have a line item for that in his security model.
"Alice may send me cleartext."

It also means Bob should have a line in his security model, "Even if
Alice correctly uses OpenPGP to encrypt her email to me, I can only rely
on 112 bits of keyspace."

> stronger keys are not about guaranteeing any particular level of
> security -- they are about *permitting* that level of security (or, more
> likely, about providing that much larger of a buffer against unknown
> mathematical advances), should the other actors in the game do something
> different.

I love this idea: "permits."  Who permits it?  When designing a system,
you must assume that anything that's not a game-over is under the
enemy's control.  You're relying on *the enemy permitting it*.

If I'm trying to break your traffic, Daniel, the last thing I'll do is
tackle even 80-bit crypto.  Seriously.  Life's too short.  But if I have
to, the very first thing I'll do is find a way to degrade you into using
an inferior level than your model expects.  I'll go after Alice.  I'll
find some way to convince her to shift to 3DES.  And just like that, I,
the enemy, will revoke your permission to have 256-bit crypto on the
Alice->you link.  You'll have 112, because that's what I'll allow.

> GnuPG's current default of a 2048-bit RSA key is roughly 103-bit
> symmetric equivalent.

According to one group; according to NIST, it's 112.  That's quibbling,
though: a factor of 2**9 is irrelevant.

> Except that you can't even rely on 112 bits of keyspace at all.  even if
> alice doesn't just send cleartext, she could select bad keys for 3DES,
> or have a compromised RNG, or lots of other failure modes.

Sure, but this requires me to compromise Alice's box and violates the
game-over assumption that the endpoints are secure.

> let's look at it the other way: if you do assume that the symmetric
> ciphers in use give you 112-bit security, wouldn't a lot of people blink
> a few times and ask "well, why would use an asymmetric key with 1/500th
> the resistance to brute force attack?"

Because (a) according to NIST they're equivalent, (b) nine bits is
irrelevant, and (c) if you check the archives you'll discover I've been
rather kind to RSA-3072; it's beyond that where I've always said "oh,
give me a break already."


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140704/702ad3af/attachment.sig>


More information about the Gnupg-users mailing list