Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jun 2 20:37:29 CEST 2015
On Tue 2015-06-02 14:26:39 -0400, Robert J. Hansen wrote:
>> Even worse, there are standard attacks that find _at least one_ of
>> the keys using just 2^78 easy computations, a feasible computation
> So there's a 10**-88 chance that one of my keys can be broken in 10**53
> computations? Sign me up.
To be clear, it's not "one of my keys" in the asymmetric key sense,
where you, rjh, have only a handful over your lifetime. Every time you
send an encrypted message, GnuPG generates a new AES key to encrypt that
message with. So "one of my messages' keys" is more accurate.
And (sorry Rob) i don't care only about your keys (or your messages'
keys). I care about all the messages ever generated by GnuPG. If an
attacker can do 2^78 computations, I'd prefer it if they couldn't
break even one of the messages ever created by GnuPG. I don't get to
decide which of our users to throw under the bus in that case. But if
we move to AES-256, we remove this attack, which means that none of our
users get thrown under this particular bus.
Given that these calculations are not a bottleneck for users, we should
move them all to the stronger cipher by default.
[ note that the argument here is now heading toward "what should the
default cipher be?", though i started with "what should the default
s2k cipher mode be?" -- I still want to focus on the s2k mode
question, because it protects secret key material, and i think that's
higher priority and an even more-obvious win; i'm happy to broaden the
discussion as long as it doesn't distract from the s2k-cipher-mode
> I have a lot of respect for djb, but on this one he's just way off in
> left field.
I don't think so. He is thinking about the whole field, though, rather
than thinking about "what are the chances that a baseball will happen to
land right where i'm standing right now?" I also care about the whole
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 948 bytes
Desc: not available
More information about the Gnupg-users