s2k-cipher-mode default

Robert J. Hansen rjh at sixdemonbag.org
Tue Jun 2 21:46:18 CEST 2015 

> To be clear, it's not "one of my keys" in the asymmetric key sense, 
> where you, rjh, have only a handful over your lifetime.  Every time 
> you send an encrypted message, GnuPG generates a new AES key to 
> encrypt that message with.  So "one of my messages' keys" is more 
> accurate.

Yes, I understood that.  I think maybe you're misunderstanding: if it
was a case of my asymmetric key being compromised, I'd take it more
seriously.  (Not much more seriously: it's still far out there.)

If an asymmetric key is compromised then past and future traffic gets
revealed, people can forge new signatures, the WoT can be abused and
misused... it gets very nasty very quickly.  But looking through my
sent-mail folder, the last encrypted email I sent was to a friend
offering to buy him a drink when we met up at a science fiction
convention in Baltimore.

The likelihood of a compromised asymmetric key leading to terrible
consequences is high.  The likelihood of a compromised symmetric key
leading to terrible consequences... not so much.  If someone breaks my
RSA key I'm going to be extraordinarily upset.  If someone learns I
offered to buy a friend a drink in Baltimore, I'm going to be annoyed.

I'm just fine with the per-message risk.

> And (sorry Rob) i don't care only about your keys (or your messages'
> keys).  I care about all the messages ever generated by GnuPG.  If
> an attacker can do 2^78 computations, I'd prefer it if they couldn't
> break even one of the messages ever created by GnuPG.

Daniel, seriously: sit down and run the math.  If you don't have a copy
of Mathematica handy, Wolfram Alpha can do the arbitrary-precision math
needed so you can be sure I'm not misleading you.

Each message has a 10**-53 chance of being part of the weak set.  The
likelihood of a message being part of the strong set is (1 - 10**-53).
Raise that to a power N and you get the probability of *all* keys being
part of the strong set.

Here's the takeaway: after 10^50 keys there's still a 99.9% chance all
the keys are strong.

[Note for UK/European readers: 'million' here denotes an American
million: 1,000,000.]

Do you think GnuPG will ever generate 10^50 keys?  I certainly don't.
Assuming there are a million GnuPG installations generating a million
AES-128 keys a second, running continuously, that's only about 10^19
keys per year.  You'd have to run these million machines for
substantially longer than the lifetime of the universe to even have a
statistically significant chance of generating a weak key.

At this point the conversation is bikeshedding.  IMO, there's absolutely
no reason to think your scenario is likely, and many reasons to think
it's not.

	1.  We can't generate 10^50 messages.
	2.  An adversary can't store 10^50 messages.
	3.  An adversary who has 10^50 messages will not be
	    satisfied with a 0.1% chance of breaking just one
	    of them.

djb is a smart guy and I have no doubt that what he's talking about is
real.  It's also such an incredibly theoretical attack that it really
doesn't deserve to be brought up in a conversation about real-world
cryptography.

Given this, I would feel much better if Werner were to spend his time
reviewing the code for exploitable bugs than spending even five minutes
changing the s2k default from AES-128 to AES-256.  The five minutes
spent reviewing code stand a very small chance of discovering something
exploitable -- call it one in a billion -- but that's still so much more
productive a use of time than using those same five minutes to defend
against an attack of such vanishing small probability that we have to
break out Mathematica to talk about it.

> I don't think so.  He is thinking about the whole field, though, 
> rather than thinking about "what are the chances that a baseball
> will happen to land right where i'm standing right now?"  I also
> care about the whole field.

I suggest you worry about the Yellowstone Caldera while you're at it.
That has a far greater likelihood of taking out your entire baseball
stadium.  :)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150602/7470d00c/attachment.sig>

More information about the Gnupg-users mailing list