riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Sat Jun 28 06:09:40 CEST 2014 

Since it looks as if I'm going to be out of contact for the next few
days (traveling), I figured I'd share the degradation a little early --

Alice and Bob are communicating.  Bob insists on using extremely large
keyspaces: his certificate is RSA-16384 and his preference list is
AES256 CAMELLIA256.  Alice does not.  She's not naive or clueless: she's
a competent user who understands that Bob insists everything be
encrypted with an RSA-16384 certificate.

Charlene wants to degrade Bob to 112 bits of effective keyspace.  (Why?
 Beats me.  Let's say she's working for the Zarbnulaxian Intelligence
Service, and ZIS has tasked her with preparing the Earth for its
eventual domination.  To further this goal, ZIS has given her a quantum
computer one of them got from their kid's breakfast cereal box.  It
doesn't provide enough qubits to break RSA, but can attack 3DES.)

Charlene can't do anything to Bob.  She *can* do something to Alice.
The next conference Alice goes to, the next OpenPGP Birds of a Feather,
Charlene makes sure people there are talking about how 3DES is "really
the most-trusted cipher in all of OpenPGP."[*]  Charlene makes sure a
few well-written webpages get put up talking about how 3DES is really a
superior choice to AES256 because Cortois[**].  Ultimately, Charlene
arranges for Alice to meet someone else who's privacy-paranoid and
insists that Alice only use 3DES to communicate, because "that's the
only MUST algorithm in OpenPGP, it's the most interoperable, and because
it's been turning brilliant young cryptanalysts into burned-out
alcoholic wrecks for 30 years" [***].

When faced with that, it's only a matter of time until Alice decides to
put 3DES first in her own preference list.  And then all her
communications to Bob have 112 bits of keyspace, not the 256 Bob
demands.  And unless Bob is paranoid enough to check the symmetric
algorithm used on every single encrypted message, Bob will never know
that Alice's communications to him have been degraded.

Werner and others are absolutely right: there is no *technical* way to
degrade things to 3DES.  But given that cipher preference lists are
fundamentally a *human* decision, well... the human being is always
exploitable.



[*]   ... which is probably true.
[**]  ... of which I've seen several.
[***] ... okay, yes, Charlene paid me to hook up with Alice.  YOU
      DON'T UNDERSTAND HOW CRUSHING GRADUATE STUDENT DEBT IS, OKAY?

More information about the Gnupg-users mailing list