Defaults
Werner Koch
wk at gnupg.org
Wed Mar 18 09:09:30 CET 2015
On Tue, 17 Mar 2015 20:44, rjh at sixdemonbag.org said:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.
Let's do a quick check of the status quo (I removed some of the extra
diagnostics from the examples):
Create a new key:
$ gpg --no-options --quick-gen-key 'test key <foo at example.org>'
About to create a key for:
"test key <foo at example.org>"
Continue? (Y/n) y
public and secret key created and signed.
pub rsa2048/50C4476F 2015-03-18
Key fingerprint = 11E9 91C2 36E0 21A6 1E35 A682 68CC E4C2 50C4 476F
uid [ultimate] test key <foo at example.org>
sub rsa2048/807D0FF4 2015-03-18
What are the preferences:
$ gpg --no-options --edit-key 50C4476F
gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
Secret key is available.
pub rsa2048/50C4476F
created: 2015-03-18 expires: never usage: SC
trust: ultimate validity: ultimate
sub rsa2048/807D0FF4
created: 2015-03-18 expires: never usage: E
[ultimate] (1). test key <foo at example.org>
gpg> showpref
[ultimate] (1). test key <foo at example.org>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA256, SHA384, SHA512, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Sign something (there is only the above new key in the keyring):
$ fortune | gpg --no-options --clearsign -v
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Whenever people agree with me I always feel I must be wrong.
-- Oscar Wilde
gpg: RSA/SHA256 signature from: "50C4476F test key <foo at example.org>"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVCSpjAAoJEGjM5MJQxEdvQOUH/1G0xVxUppAHjqy6E5h8Pds+
R9IhpACMwx+b01KudyTQ1rw1Y6Gy47vRhtaZaY9H7g9Ua8N7CtDWDUlbN/A+vovr
7NX7yh8VXNqTYg9iCbwtL3KrN5b+gImWC7XxKgmJ5MqtRdOnjrGRG+R/1Yz/K6+3
dKtD+o7WSToWiZRaqraIEFaHuHHPhhTbZd9rPkkoVhR8IfuwVP9WiWgL1En1khiC
jNN4XBTO6JYm9wxYnbKTr5pIkNIdkXJEXSSO0VDu+jcx0eXiQlHVM2Za+8F0e59o
rhaD61+7MFRp7W85eq9DphK8ZQkYSiVFmxP05KtBn0ym+CWyOZQTknJTZq2rpGI=
=TRJn
-----END PGP SIGNATURE-----
Do an symmetric encryption:
$ fortune | gpg --no-options -ca -v
gpg: using cipher AES
gpg: writing to stdout
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
jA0EBwMCEKZ9P8JsqIXk0n0BXv33OI6+DtCIKj4eizkTHI4uFnlwYxa8mGDmNPZX
7f8Q0f5L621bNvyIgCrV+gmfMXbXd2jtUXOAu0Q/g9gpkNEQhEJKcFBk1VDaAM0j
dg8LeF/iT8HUjSmsWXbOCvYRh3MtIbYSEC299yBZJ+gG44Akgypl80dubLXhcA==
=doWz
-----END PGP MESSAGE-----
Now:
> * Offer Brainpool-512 and RSA-3072 as options for
> newly-generated certificates
The default is RSA-2048 but there is an option to create RSA-3072. GUIs
may choose there own defaults.
Using Brainpool as default for ECC (by the time we can get ECC out of
the export mode) is obvious something the German secret services would
like to see. Given recent revelations about the BSI and its support for
"remote forensic toolkits" (aka Federal Trojan Tool) won't convince
people that Brainpool curves are safer than NIST curves. Anyway the
plan is to make Curve25519 the default for ECC. There are also options
for stronger ECC curves not related to US or European standard bodies.
> * Use AES256 for a symmetric cipher
As shown above AES128 (AES) is the default for symmetric encryption.
Symmetric encryption is for whatever reasons commonly used for bulk data
encryption and performace si a matter here:
AES | nanosecs/byte mebibytes/sec cycles/byte
CFB enc | 1.77 ns/B 537.9 MiB/s 4.08 c/B
CFB dec | 0.365 ns/B 2612.1 MiB/s 0.840 c/B
AES256
CFB enc | 2.47 ns/B 386.5 MiB/s 5.67 c/B
CFB dec | 0.530 ns/B 1799.4 MiB/s 1.22 c/B
Thus on my X220 you get a 40% speedup by using 128 bit AES. Well, the
number are from Libgcrypt and don't include the overhead due to the
protocol but it is faster.
For public key encryption AES-256 will anyway be used by default.
> * Raise a warning if the user attempts to encrypt more
> than 4 GiB with an old (64-bit block) cipher
Except for 3DES there is no 64 bit block cipher in the preferences:
Cipher: AES256, AES192, AES, 3DES
A key capable of only 3DES will be rare and must have been created on
purpose or by very old software. They want 3DES and thus they get it.
> * Only use CAST5 if the user explicitly requests it via
> default-cipher-preferences: prefer 3DES over CAST5
Already done. See above.
> * Only use IDEA if the user explicitly requests it via
> default-cipher-preferences: prefer 3DES over IDEA
IDEA is not included in the preferences.
> * Use SHA256 for RSA-3072/-4096 signatures and SHA512
> for Brainpool-512
Already used even for RSA-2048. See example above.
> * CAST5 is not in good health: as was recently mentioned in
> the IETF WG mailing list, the Canadians themselves still
I have seen no arguments why CAST5-128 as used by OpenPGP is now weaker
than other 64 ciphers. BTW, the post mentioning CAST5 also falsely
claimed that CAST5 is a 128 bit blocksize cipher. Maybe the confusion
comes from the fact CAST is actually a method to create block ciphers.
But we it is not used anway.
> * 3DES is still the Rock of Gibraltar. Big, slow, ungainly,
> and strong. It's nobody's idea of a good modern cipher, but
Here are the numbers; for fairness AES-NI (Intel's AES hardware support)
has been disabled:
AES | nanosecs/byte mebibytes/sec cycles/byte
CFB enc | 3.88 ns/B 245.8 MiB/s 8.92 c/B
CFB dec | 3.18 ns/B 299.6 MiB/s 7.32 c/B
3DES
CFB enc | 37.69 ns/B 25.30 MiB/s 86.69 c/B
CFB dec | 20.04 ns/B 47.58 MiB/s 46.10 c/B
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list