Should one really disable AEAD for recent GnuPG created PGP keys?

Werner Koch wk at gnupg.org
Tue Mar 5 14:56:52 CET 2024


Hi!

On Tue,  5 Mar 2024 12:39, Tobias Leupold said:
> Sorry for asking another thing about this. For sure, I didn't want to set off 
> an avalanche, and I still don't want to. But from a user's perspective, this 
> is simply very confusing and also unsettling.

You are right.  What I can do is to give my perspective of this which is
based on my experience re-implementing a free PGP version since 1997 and
while doing that taking part in the OpenPGP specification process which
started at the same time.

> https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys
>
> The answer started with:
>
>> While authenticated encryption (AEAD) is good - especially for something
>> like OpenPGP, which is an old and over-complicated standard that has a
>> concerning large attack surface for vulnerabilities or simple implementation

This introduction is pretty unfair but unfortunately as common on the
net as the "PGP is way too complicate for anyone to use" claim.  In
reality PGP (in the form of GnuPG and Thunderbird) is used daily by
million of people who consciously choose to protect their mails and
data.  If you want to see an over-complicated standard, have a look at
S/MIME (aka CMS, X.509) which is implemented by all major mailers but
has not the good repudiation of *PGP.  See also [1].

The above answer by CBHacking continues:

   I definitely can't recommend enabling a non-standardized
   compatibility-breaking feature by default, and frankly feel that
   GnuPG made a major error in doing so.

That is factual wrong.  RNP, the core of Thunderbird's OpenPGP
implementation, implemented this too.  But instead of fixing all the
stuff which got lost during the migration from Enigmail to TB's new
OpenPGP code the TB maintainer now wants to remove support for OCB from
TB.  IETF specifications are not a standard but a specification how
certain things are commonly implemented.  The meanwhile most used public
key algorithm (Curve25519) is not specified in OpenPGP but nevertheless
less widely used and accepted.

   From a security perspective, I'm not even sure that just adding an
   OCB-based AEAD mode actually helps anything, in expectation; OpenPGP
   messages can already be authenticated in a few different ways, so
   arguably the likeliest source of security flaws is that the message

S/he is right that formats get more complex and that we already have
Authenticated Encryption (the core feature of AEAD) in OpenPGP but
exactly that old format is complex and hard to implement.  OTOH, the new
OCB based Authenticated Encryption is a straightforward implementation
of a well reseached mode and the gold standard for all block cipher
modes.  The old format in OpenPG was an ad-hoc implementation of
Authenticated Encryption on top of the legacy PGP-2 format.  Thus in the
long run the new OCB mode will reduce the complexity.

The answer shows in bold:

  Given that you work with non-GnuPG clients, and that this feature is
  not part of the OpenPGP specification, and that OpenPGP already
  includes message authentication and integrity, I recommend disabling
  this feature for now.

With the same argument you could also stop using TLS 1.3 and instead
keep on using TLS 1.2 in eternity.  In most cases 1.3 has no real world
advantages when done right.  However, most sites allow for both 1.3 and
1.2 and only a few disallow 1.2 which leads to the same problems as we
see with the removal of support by some application and some Linux
distros.

  Note that you'll have to re-encrypt the data for non-GPG clients after
  disabling this non-standard feature.

Also most other things CBHacking wrote are okay, this one is simply
wrong.  This is not a gpg only feature.

> from somebody with an impressive reputation on the network, for whom I
> suppose

Well, some anonmyous account on stackexchange.  I can't tell.


Salam-Shalom,

   Werner


[1] Let me quote Peter Gutman, a really well repudiated expert on all things
    security, on S/MIME:
     "As a result there's no pressure on the people involved in PKI
      standardisation to create anything that meets any real-world
      requirement, allowing them instead to spend their time building great
      gothic cathedrals of infinite complexity whose sole purpose seems to
      be to strike awe and terror into the masses."
    I hope that *PGP stops evolving into this direction.

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240305/26a82d3c/attachment.sig>


More information about the Gnupg-users mailing list