s2k-cipher-mode default

Robert J. Hansen rjh at sixdemonbag.org
Tue Jun 2 20:26:39 CEST 2015

> Let's consider an adversary that can store as many OpenPGP-encrypted 
> messages as it has access to.  Maybe it sniffs SMTP traffic as well?
> If the attacker is interested in breaking the crypto of any *one* of
> these messages, it can reduce the amount of work it has to do
> significantly.

I think this is a pretty unrealistic thought experiment.  It requires
two conditions to be met:

	1.  A very large number of intercepted OpenPGP messages
	2.  An extremely well-funded adversary who only needs to
	    break one message, chosen at random, out of the very
	    large ingestion set, in order for the entire endeavor
	    to be considered a ringing success that justifies the
	    billions of dollars spent collecting #1

We don't have #1, but in the (oft-forlorn) hope we'll see more OpenPGP
adoption I'll give it to you.  But #2 isn't the description of any
real-world organization I've ever heard of.  Honestly, it sounds more
like a James Bond-style evil organization like SPECTRE or QUANTUM than
like anything that exists in the world.

(Quoting you quoting djb)

> There are standard attacks that break _all_ of 2^50 AES-128 keys 
> using a _total_ of 2^128 easy computations.

In other words, the likelihood of choosing one of the weak set by random
is 10**-53.  That's a one-in-

I'll take those odds.  Happily.  Twice on a Sunday.

(Still quoting you quoting djb)

> Even worse, there are standard attacks that find _at least one_ of 
> the keys using just 2^78 easy computations, a feasible computation 
> today.

So there's a 10**-88 chance that one of my keys can be broken in 10**53
computations?  Sign me up.

I have a lot of respect for djb, but on this one he's just way off in
left field.

> Of course, there aren't 2^50 AES-128-encrypted known-plaintext 
> OpenPGP messages today that such an attack would work on.  but why 
> would we want to leave users open to this?

(Meant as humor, not snark:)

I am much more concerned with the possibility of landing a hot date with
Claudia Schiffer[*], which is rudely interrupted by the eruption of the
Yellowstone Caldera that wipes out all life in North America, than I am
with any AES-128 weakness.  Landing a hot date with Claudia Schiffer and
the end of the world happening before I pick her up for our night out is
considerably more likely to happen.  It would also probably make me
considerably unhappier than a random AES key, somewhere, being broken.

Given I've spent about half an hour of my time calmly considering the
possibilities of your hypothetical, perhaps I might trouble you to spend
a minute or two coming up with a plan for how I might enjoy an evening
with Claudia even as the world ends?  I will understand if your reaction
is hysterical laughter.  :)

[*] You youngsters who have no idea who Claudia Schiffer is... when I
was your age, she was The Awesomeness.  Had a soft spot for her in my
heart for about the last twenty-five years.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150602/23cc537f/attachment.bin>

More information about the Gnupg-users mailing list