s2k-cipher-mode default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 2 20:37:29 CEST 2015 

On Tue 2015-06-02 14:26:39 -0400, Robert J. Hansen wrote:
>> Even worse, there are standard attacks that find _at least one_ of 
>> the keys using just 2^78 easy computations, a feasible computation 
>> today.
>
> So there's a 10**-88 chance that one of my keys can be broken in 10**53
> computations?  Sign me up.

To be clear, it's not "one of my keys" in the asymmetric key sense,
where you, rjh, have only a handful over your lifetime.  Every time you
send an encrypted message, GnuPG generates a new AES key to encrypt that
message with.  So "one of my messages' keys" is more accurate.

And (sorry Rob) i don't care only about your keys (or your messages'
keys).  I care about all the messages ever generated by GnuPG.  If an
attacker can do 2^78 computations, I'd prefer it if they couldn't
break even one of the messages ever created by GnuPG.  I don't get to
decide which of our users to throw under the bus in that case.  But if
we move to AES-256, we remove this attack, which means that none of our
users get thrown under this particular bus.

Given that these calculations are not a bottleneck for users, we should
move them all to the stronger cipher by default.

[ note that the argument here is now heading toward "what should the
  default cipher be?", though i started with "what should the default
  s2k cipher mode be?" -- I still want to focus on the s2k mode
  question, because it protects secret key material, and i think that's
  higher priority and an even more-obvious win; i'm happy to broaden the
  discussion as long as it doesn't distract from the s2k-cipher-mode
  question ]

> I have a lot of respect for djb, but on this one he's just way off in
> left field.

I don't think so.  He is thinking about the whole field, though, rather
than thinking about "what are the chances that a baseball will happen to
land right where i'm standing right now?"  I also care about the whole
field.

Regards,

        --dkg
        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150602/daf836dd/attachment.sig>

More information about the Gnupg-users mailing list