Security doubts on 3DES default

Robert J. Hansen rjh at sixdemonbag.org
Thu Mar 16 15:21:57 CET 2017


> take rjh's caveat with a grain of salt -- GnuPG's interest is in
protecting its
> users.  If the project knows something is bad, we're going to try to
protect
> users from it.

In my defense, I never said GnuPG wasn't going to try to protect users from
dangerous things.  I said that until the RFC changes, 3DES and SHA1 will
remain in the codebase -- which is, I think, the correct position to take.

> probably not,
> but it should probably decline to generate such a thing, in the way that
it
> defaults to generating signatures using SHA256 these days.

Why?  What's the reasoning for refusing to encrypt using 3DES?

I can see "we should refuse to put 3DES in any non-final position in key or
cipher preferences" -- that would make sense: it's the cipher of last
resort, and putting it in non-final position kind of breaks that guideline
-- but I'm unaware of any reason why we should not permit using 3DES as a
symmetric cipher.

3DES is slow and obnoxious but it's not unsafe.  At 168 bits of key material
it's actually stronger than AES128.  (I'm discounting the theoretical
attacks on 3DES, as they require many orders of magnitude more memory than
exist in the entire world.)




More information about the Gnupg-users mailing list