Werner Koch wk at
Wed Mar 18 09:09:30 CET 2015

On Tue, 17 Mar 2015 20:44, rjh at said:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.

Let's do a quick check of the status quo (I removed some of the extra
diagnostics from the examples):

Create a new key:

  $ gpg --no-options --quick-gen-key 'test key <foo at>'
  About to create a key for:
      "test key <foo at>"
  Continue? (Y/n) y
  public and secret key created and signed.
  pub   rsa2048/50C4476F 2015-03-18
        Key fingerprint = 11E9 91C2 36E0 21A6 1E35  A682 68CC E4C2 50C4 476F
  uid       [ultimate] test key <foo at>
  sub   rsa2048/807D0FF4 2015-03-18
What are the preferences:  
  $ gpg --no-options --edit-key 50C4476F
  gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
  Secret key is available.
  pub  rsa2048/50C4476F
       created: 2015-03-18  expires: never       usage: SC  
       trust: ultimate      validity: ultimate
  sub  rsa2048/807D0FF4
       created: 2015-03-18  expires: never       usage: E   
  [ultimate] (1). test key <foo at>
  gpg> showpref
  [ultimate] (1). test key <foo at>
       Cipher: AES256, AES192, AES, 3DES
       Digest: SHA256, SHA384, SHA512, SHA224, SHA1
       Compression: ZLIB, BZIP2, ZIP, Uncompressed
       Features: MDC, Keyserver no-modify

Sign something (there is only the above new key in the keyring):

  $ fortune | gpg --no-options --clearsign -v 
  Hash: SHA256
  Whenever people agree with me I always feel I must be wrong.
                  -- Oscar Wilde
  gpg: RSA/SHA256 signature from: "50C4476F test key <foo at>"
  Version: GnuPG v2
Do an symmetric encryption:
  $ fortune | gpg --no-options -ca -v         
  gpg: using cipher AES
  gpg: writing to stdout
  Version: GnuPG v2
  -----END PGP MESSAGE-----


> 	* Offer Brainpool-512 and RSA-3072 as options for
> 	  newly-generated certificates

The default is RSA-2048 but there is an option to create RSA-3072.  GUIs
may choose there own defaults.

Using Brainpool as default for ECC (by the time we can get ECC out of
the export mode) is obvious something the German secret services would
like to see.  Given recent revelations about the BSI and its support for
"remote forensic toolkits" (aka Federal Trojan Tool) won't convince
people that Brainpool curves are safer than NIST curves.  Anyway the
plan is to make Curve25519 the default for ECC.  There are also options
for stronger ECC curves not related to US or European standard bodies.

> 	* Use AES256 for a symmetric cipher

As shown above AES128 (AES) is the default for symmetric encryption.
Symmetric encryption is for whatever reasons commonly used for bulk data
encryption and performace si a matter here:

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      1.77 ns/B     537.9 MiB/s      4.08 c/B
        CFB dec |     0.365 ns/B    2612.1 MiB/s     0.840 c/B
        CFB enc |      2.47 ns/B     386.5 MiB/s      5.67 c/B
        CFB dec |     0.530 ns/B    1799.4 MiB/s      1.22 c/B

Thus on my X220 you get a 40% speedup by using 128 bit AES.  Well, the
number are from Libgcrypt and don't include the overhead due to the
protocol but it is faster.

For public key encryption AES-256 will anyway be used by default.

> 	* Raise a warning if the user attempts to encrypt more
> 	  than 4 GiB with an old (64-bit block) cipher

Except for 3DES there is no 64 bit block cipher in the preferences:

       Cipher: AES256, AES192, AES, 3DES

A key capable of only 3DES will be rare and must have been created on
purpose or by very old software.  They want 3DES and thus they get it.

> 	* Only use CAST5 if the user explicitly requests it via
> 	  default-cipher-preferences: prefer 3DES over CAST5

Already done.  See above.

> 	* Only use IDEA if the user explicitly requests it via
> 	  default-cipher-preferences: prefer 3DES over IDEA

IDEA is not included in the preferences.

> 	* Use SHA256 for RSA-3072/-4096 signatures and SHA512
> 	  for Brainpool-512

Already used even for RSA-2048.  See example above.

> 	* CAST5 is not in good health: as was recently mentioned in
> 	  the IETF WG mailing list, the Canadians themselves still

I have seen no arguments why CAST5-128 as used by OpenPGP is now weaker
than other 64 ciphers.  BTW, the post mentioning CAST5 also falsely
claimed that CAST5 is a 128 bit blocksize cipher.  Maybe the confusion
comes from the fact CAST is actually a method to create block ciphers.
But we it is not used anway.

> 	* 3DES is still the Rock of Gibraltar.  Big, slow, ungainly,
> 	  and strong.  It's nobody's idea of a good modern cipher, but

Here are the numbers; for fairness AES-NI (Intel's AES hardware support)
has been disabled:

 AES            |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      3.88 ns/B     245.8 MiB/s      8.92 c/B
        CFB dec |      3.18 ns/B     299.6 MiB/s      7.32 c/B
        CFB enc |     37.69 ns/B     25.30 MiB/s     86.69 c/B
        CFB dec |     20.04 ns/B     47.58 MiB/s     46.10 c/B



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list