s2k-cipher-mode default
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jun 2 20:26:39 CEST 2015
> Let's consider an adversary that can store as many OpenPGP-encrypted
> messages as it has access to. Maybe it sniffs SMTP traffic as well?
> If the attacker is interested in breaking the crypto of any *one* of
> these messages, it can reduce the amount of work it has to do
> significantly.
I think this is a pretty unrealistic thought experiment. It requires
two conditions to be met:
1. A very large number of intercepted OpenPGP messages
2. An extremely well-funded adversary who only needs to
break one message, chosen at random, out of the very
large ingestion set, in order for the entire endeavor
to be considered a ringing success that justifies the
billions of dollars spent collecting #1
We don't have #1, but in the (oft-forlorn) hope we'll see more OpenPGP
adoption I'll give it to you. But #2 isn't the description of any
real-world organization I've ever heard of. Honestly, it sounds more
like a James Bond-style evil organization like SPECTRE or QUANTUM than
like anything that exists in the world.
(Quoting you quoting djb)
> There are standard attacks that break _all_ of 2^50 AES-128 keys
> using a _total_ of 2^128 easy computations.
In other words, the likelihood of choosing one of the weak set by random
is 10**-53. That's a one-in-
100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
chance.
I'll take those odds. Happily. Twice on a Sunday.
(Still quoting you quoting djb)
> Even worse, there are standard attacks that find _at least one_ of
> the keys using just 2^78 easy computations, a feasible computation
> today.
So there's a 10**-88 chance that one of my keys can be broken in 10**53
computations? Sign me up.
I have a lot of respect for djb, but on this one he's just way off in
left field.
> Of course, there aren't 2^50 AES-128-encrypted known-plaintext
> OpenPGP messages today that such an attack would work on. but why
> would we want to leave users open to this?
(Meant as humor, not snark:)
I am much more concerned with the possibility of landing a hot date with
Claudia Schiffer[*], which is rudely interrupted by the eruption of the
Yellowstone Caldera that wipes out all life in North America, than I am
with any AES-128 weakness. Landing a hot date with Claudia Schiffer and
the end of the world happening before I pick her up for our night out is
considerably more likely to happen. It would also probably make me
considerably unhappier than a random AES key, somewhere, being broken.
Given I've spent about half an hour of my time calmly considering the
possibilities of your hypothetical, perhaps I might trouble you to spend
a minute or two coming up with a plan for how I might enjoy an evening
with Claudia even as the world ends? I will understand if your reaction
is hysterical laughter. :)
[*] You youngsters who have no idea who Claudia Schiffer is... when I
was your age, she was The Awesomeness. Had a soft spot for her in my
heart for about the last twenty-five years.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150602/23cc537f/attachment.bin>
More information about the Gnupg-users
mailing list