Defaults

Werner Koch wk at gnupg.org
Wed Mar 18 09:09:30 CET 2015


On Tue, 17 Mar 2015 20:44, rjh at sixdemonbag.org said:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.

Let's do a quick check of the status quo (I removed some of the extra
diagnostics from the examples):

Create a new key:

  $ gpg --no-options --quick-gen-key 'test key <foo at example.org>'
  About to create a key for:
      "test key <foo at example.org>"
  
  Continue? (Y/n) y
  public and secret key created and signed.
  
  pub   rsa2048/50C4476F 2015-03-18
        Key fingerprint = 11E9 91C2 36E0 21A6 1E35  A682 68CC E4C2 50C4 476F
  uid       [ultimate] test key <foo at example.org>
  sub   rsa2048/807D0FF4 2015-03-18
  
What are the preferences:  
  
  $ gpg --no-options --edit-key 50C4476F
  gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
  Secret key is available.
  
  pub  rsa2048/50C4476F
       created: 2015-03-18  expires: never       usage: SC  
       trust: ultimate      validity: ultimate
  sub  rsa2048/807D0FF4
       created: 2015-03-18  expires: never       usage: E   
  [ultimate] (1). test key <foo at example.org>
  
  gpg> showpref
  [ultimate] (1). test key <foo at example.org>
       Cipher: AES256, AES192, AES, 3DES
       Digest: SHA256, SHA384, SHA512, SHA224, SHA1
       Compression: ZLIB, BZIP2, ZIP, Uncompressed
       Features: MDC, Keyserver no-modify

Sign something (there is only the above new key in the keyring):

  $ fortune | gpg --no-options --clearsign -v 
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256
  
  Whenever people agree with me I always feel I must be wrong.
                  -- Oscar Wilde
  gpg: RSA/SHA256 signature from: "50C4476F test key <foo at example.org>"
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2
  
  iQEcBAEBCAAGBQJVCSpjAAoJEGjM5MJQxEdvQOUH/1G0xVxUppAHjqy6E5h8Pds+
  R9IhpACMwx+b01KudyTQ1rw1Y6Gy47vRhtaZaY9H7g9Ua8N7CtDWDUlbN/A+vovr
  7NX7yh8VXNqTYg9iCbwtL3KrN5b+gImWC7XxKgmJ5MqtRdOnjrGRG+R/1Yz/K6+3
  dKtD+o7WSToWiZRaqraIEFaHuHHPhhTbZd9rPkkoVhR8IfuwVP9WiWgL1En1khiC
  jNN4XBTO6JYm9wxYnbKTr5pIkNIdkXJEXSSO0VDu+jcx0eXiQlHVM2Za+8F0e59o
  rhaD61+7MFRp7W85eq9DphK8ZQkYSiVFmxP05KtBn0ym+CWyOZQTknJTZq2rpGI=
  =TRJn
  -----END PGP SIGNATURE-----
   
Do an symmetric encryption:
 
  $ fortune | gpg --no-options -ca -v         
  gpg: using cipher AES
  gpg: writing to stdout
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v2
  
  jA0EBwMCEKZ9P8JsqIXk0n0BXv33OI6+DtCIKj4eizkTHI4uFnlwYxa8mGDmNPZX
  7f8Q0f5L621bNvyIgCrV+gmfMXbXd2jtUXOAu0Q/g9gpkNEQhEJKcFBk1VDaAM0j
  dg8LeF/iT8HUjSmsWXbOCvYRh3MtIbYSEC299yBZJ+gG44Akgypl80dubLXhcA==
  =doWz
  -----END PGP MESSAGE-----


Now:

> 	* Offer Brainpool-512 and RSA-3072 as options for
> 	  newly-generated certificates

The default is RSA-2048 but there is an option to create RSA-3072.  GUIs
may choose there own defaults.

Using Brainpool as default for ECC (by the time we can get ECC out of
the export mode) is obvious something the German secret services would
like to see.  Given recent revelations about the BSI and its support for
"remote forensic toolkits" (aka Federal Trojan Tool) won't convince
people that Brainpool curves are safer than NIST curves.  Anyway the
plan is to make Curve25519 the default for ECC.  There are also options
for stronger ECC curves not related to US or European standard bodies.

> 	* Use AES256 for a symmetric cipher

As shown above AES128 (AES) is the default for symmetric encryption.
Symmetric encryption is for whatever reasons commonly used for bulk data
encryption and performace si a matter here:

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      1.77 ns/B     537.9 MiB/s      4.08 c/B
        CFB dec |     0.365 ns/B    2612.1 MiB/s     0.840 c/B
 AES256 
        CFB enc |      2.47 ns/B     386.5 MiB/s      5.67 c/B
        CFB dec |     0.530 ns/B    1799.4 MiB/s      1.22 c/B

Thus on my X220 you get a 40% speedup by using 128 bit AES.  Well, the
number are from Libgcrypt and don't include the overhead due to the
protocol but it is faster.

For public key encryption AES-256 will anyway be used by default.

> 	* Raise a warning if the user attempts to encrypt more
> 	  than 4 GiB with an old (64-bit block) cipher

Except for 3DES there is no 64 bit block cipher in the preferences:

       Cipher: AES256, AES192, AES, 3DES

A key capable of only 3DES will be rare and must have been created on
purpose or by very old software.  They want 3DES and thus they get it.

> 	* Only use CAST5 if the user explicitly requests it via
> 	  default-cipher-preferences: prefer 3DES over CAST5

Already done.  See above.

> 	* Only use IDEA if the user explicitly requests it via
> 	  default-cipher-preferences: prefer 3DES over IDEA

IDEA is not included in the preferences.

> 	* Use SHA256 for RSA-3072/-4096 signatures and SHA512
> 	  for Brainpool-512

Already used even for RSA-2048.  See example above.

> 	* CAST5 is not in good health: as was recently mentioned in
> 	  the IETF WG mailing list, the Canadians themselves still

I have seen no arguments why CAST5-128 as used by OpenPGP is now weaker
than other 64 ciphers.  BTW, the post mentioning CAST5 also falsely
claimed that CAST5 is a 128 bit blocksize cipher.  Maybe the confusion
comes from the fact CAST is actually a method to create block ciphers.
But we it is not used anway.

> 	* 3DES is still the Rock of Gibraltar.  Big, slow, ungainly,
> 	  and strong.  It's nobody's idea of a good modern cipher, but

Here are the numbers; for fairness AES-NI (Intel's AES hardware support)
has been disabled:

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      3.88 ns/B     245.8 MiB/s      8.92 c/B
        CFB dec |      3.18 ns/B     299.6 MiB/s      7.32 c/B
 3DES
        CFB enc |     37.69 ns/B     25.30 MiB/s     86.69 c/B
        CFB dec |     20.04 ns/B     47.58 MiB/s     46.10 c/B


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list