Mailing List Archive: GnuPG: users

Draft of nine new FAQ questions

1 2

View All

Index | Next | Previous | View Threaded

rjh at sixdemonbag

May 23, 2012, 9:18 AM

Post #1 of 26 (286 views)
Permalink

Draft of nine new FAQ questions

I have a draft version of nine frequently asked questions ready for
community review:

http://keyservers.org/gnupgfaq.xhtml

Note that this draft is in nicely-typeset XHTML5. This is to make it
easier to proofread. The final version that I'm going to submit to
Werner will be in plain text, so please, no suggestions about fonts,
visual design, layout, or anything else like that.

Any and all feedback (save for visual design, layout, etc.) will be
gratefully accepted. Thank you!

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mick.crane at gmail

May 23, 2012, 9:34 AM

Post #2 of 26 (279 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Wed, May 23, 2012 5:18 pm, Robert J. Hansen wrote:
> I have a draft version of nine frequently asked questions ready for
> community review:
>
> http://keyservers.org/gnupgfaq.xhtml

for me the first should always be "what is gnupg ?"

regards

mick

--
keyID: 0x4BFEBB31

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Lists.gnupg at mephisto

May 23, 2012, 11:28 AM

Post #3 of 26 (279 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Wed, May 23, 2012 at 05:34:16PM +0100 Also sprach michael crane:
>
> for me the first should always be "what is gnupg ?"
>

I believe these nine "new" FAQ entries are to be added to the existing
entries to provide additional information regarding keysizes
specifically. They are not comprehensive, and general discussion of
GnuPG and its purpose is covered in the existing FAQ.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

david at gbenet

May 23, 2012, 11:44 AM

Post #4 of 26 (280 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/05/12 17:34, michael crane wrote:
>
> On Wed, May 23, 2012 5:18 pm, Robert J. Hansen wrote:
>> I have a draft version of nine frequently asked questions ready for
>> community review:
>>
>> http://keyservers.org/gnupgfaq.xhtml
>
> for me the first should always be "what is gnupg ?"
>
> regards
>
> mick
>
I too felt that there was something missing. This whole topic got kicked off by some one
questioning the strength - the security of keys. No other contribution from the original
poster has been made - may be he "disappeared." Anyway I felt that there was something
missing - and that's a write of gpg 1.4.11 version 2's an add-on and only needs a few words.
Needs to be more informative - authoritative and a bit more on the maths :)

David

- --
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPvS+4AAoJEOJpqm7flRExmeEH/jndZrwunmnYQqvfxkdS16YH
GNJvRh7MmcAMSjBuB543aveRFjf+yl1tOcLrXVA3uO1/ktW6grHWrLJZ06W+U9Sv
h9CEHie+wGmNqs0qgBRYMp8cJvoPpJSO6P2EV4ZdmTORRs4ETI5B7CVKq7bnK3qL
MR4+QvlsomwokWJjSSFmPOcWA2+TxsyCj/I41Hz0bI8iNnmyDqkHFmPleiIiRUef
uKgJtezNg/SHHIYEUuu0QeBMlNwtFv1J4kuWteVxbCO70EN3lnSyWNIIQxuUQAJS
SsEzCaDo/M6dsHs44MdZiXWv4Wa8oIPUwD01zyO8o6IvQXI1X/IoQC1ySdzvVOc=
=GAGl
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

May 23, 2012, 1:12 PM

Post #5 of 26 (275 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On May 23, 2012, at 12:18 PM, Robert J. Hansen wrote:

> I have a draft version of nine frequently asked questions ready for
> community review:
>
> http://keyservers.org/gnupgfaq.xhtml
>
> Note that this draft is in nicely-typeset XHTML5. This is to make it
> easier to proofread. The final version that I'm going to submit to
> Werner will be in plain text, so please, no suggestions about fonts,
> visual design, layout, or anything else like that.
>
> Any and all feedback (save for visual design, layout, etc.) will be
> gratefully accepted. Thank you!

Very nice work.

I have just three minor notes:

#1 explains why we default to 2048-bit keys, but not why RSA. What NIST stated about key strength is true for any 2048-bit OpenPGP key (DSA or RSA). The reason why we switched to RSA in 2009 was mainly for reasons of being able to use a larger primary key. DSA was inherently capped at 1024 bits (and a 160-bit hash), and while DSA2 existed (so we could theoretically have used a 2048-bit DSA key instead of RSA), it was not nearly as widely implemented across the OpenPGP user base as RSA was.

The answer you have for #4 is not exactly wrong, but it is not complete. GnuPG doesn't support 4096-bit keys just because PGP (the product) does. It also supports a range of key sizes because OpenPGP (the standard) does. And it also supports a range of key sizes because people want/need them (local policy for key length, for example, as you note in the answer to #3). GnuPG is a powerful and flexible tool, and that includes the power and flexibility to do things that are not necessarily recommended by the GnuPG developers.

For #10, it might be worth mentioning something about the use of different hash lengths (q) for the different DSA sizes. The two sort of go hand in hand. Or for that matter, perhaps a question #11 "How come my signatures from my 2048-bit DSA key use a different hash than those from my 1024-bit DSA key?" would be interesting.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 23, 2012, 1:45 PM

Post #6 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On 5/23/12 4:12 PM, David Shaw wrote:
> #1 explains why we default to 2048-bit keys, but not why RSA.

Fixed, thank you.

> The answer you have for #4 is not exactly wrong, but it is not
> complete. GnuPG doesn't support 4096-bit keys just because PGP (the
> product) does. It also supports a range of key sizes because OpenPGP
> (the standard) does.

I don't want to seem argumentative (especially because I haven't looked
at the RFC lately), but I was under the impression the RFC was mostly
silent on the subject of algorithms and key sizes -- DSA being a MUST
algorithm, but little guidance beyond that. Am I in error?

(That said, the text has been fixed: thank you.)

> For #10, it might be worth mentioning something about the use of
> different hash lengths (q) for the different DSA sizes. The two sort
> of go hand in hand. Or for that matter, perhaps a question #11 "How
> come my signatures from my 2048-bit DSA key use a different hash than
> those from my 1024-bit DSA key?" would be interesting.

Added.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

May 23, 2012, 2:40 PM

Post #7 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On May 23, 2012, at 4:45 PM, Robert J. Hansen wrote:

> I don't want to seem argumentative (especially because I haven't looked
> at the RFC lately), but I was under the impression the RFC was mostly
> silent on the subject of algorithms and key sizes -- DSA being a MUST
> algorithm, but little guidance beyond that. Am I in error?

The fact that RSA can have different key sizes is clearly stated, since you need that information to interoperate, and that's what I was referring to. I don't mean to say that one of the several reasons GnuPG supports 4096-bit keys is because the OpenPGP spec says they are better. I mean to say that one of the several reasons GnuPG supports 4096-bit keys is because the OpenPGP spec says they *exist* (there is some implementation art here - we don't support 8192-bit keys even though they obviously exist as well).

The way you stated it in the revised FAQ covers this very well.

The standard is indeed mostly silent on the topic on why you would *want* to pick a particular key size over a different key size. That is appropriate for a message format document - it's not really taking sides. Pretty much all it says is to be careful and notes that 4096 was the common limit at publication time:

* OpenPGP does not put limits on the size of public keys. However,
larger keys are not necessarily better keys. Larger keys take
more computation time to use, and this can quickly become
impractical. Different OpenPGP implementations may also use
different upper bounds for public key sizes, and so care should
be taken when choosing sizes to maintain interoperability. As of
2007 most implementations have an upper bound of 4096 bits.

>> For #10, it might be worth mentioning something about the use of
>> different hash lengths (q) for the different DSA sizes. The two sort
>> of go hand in hand. Or for that matter, perhaps a question #11 "How
>> come my signatures from my 2048-bit DSA key use a different hash than
>> those from my 1024-bit DSA key?" would be interesting.
>
> Added.

Excellent. One note on the new text - it states that 2048-bit DSA keys use a 224-bit hash. In fact, a 2048-bit DSA key can use either 224 or 256-bit hashes. GnuPG uses 256 here (but will of course accept a 224 generated elsewhere), so we're either using 160 or 256 unless someone forces 224 by picking an odd DSA key size like 1536.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

reynt0 at cs

May 23, 2012, 3:50 PM

Post #8 of 26 (274 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Wed, 23 May 2012, Robert J. Hansen wrote:
. . .
> I have a draft version of nine frequently asked questions ready for
> community review:
> http://keyservers.org/gnupgfaq.xhtml
>
> Any and all feedback (save for visual design, layout, etc.) will be
> gratefully accepted. Thank you!

Here FWIW are some kindof stylistic suggestions, following
some standard types of phrasings I have found useful to
minimize confusion when communicating with people from
varied or unknown linguistic backgrounds. Changes are
identified by "*** <foo> ***".

Interestingly, good rather than loose grammar often seems
to be more understandable by people who learned English in
non-USA schools, since they often learned by a book which
taught by grammar. (Cf eg my "***ever to be***" below.)
Also, just to mention, best to avoid smart apostrophes/quotes
in the final version, naturally, right? And maybe most
contractions.

---re #1: Why does GnuPG use 2048-bit RSA by default?
***This question can be separated into two questions: Why ... by
default?; and Why ... by default?"***
This is actually two separate questions in one: why does GnuPG use
2048-bit keys by default, and why does GnuPG use the RSA algorithm by
default?

***The answer to the first question is that GnuPG .... NIST's current
position (as of May 2012) is that software providing 112***
With respect to the first question, GnuPG uses 2048-bit keys in order to
comply with the current (as of Spring 2012) recommendations of the United
. . .
***The answer to the second question is that GPS uses RSA rather
than DSA mostly***
With respect to the second question, GnuPG uses RSA over DSA mostly
. . .

---re #3: Why doesn't GnuPG default to 4096-bit RSA?
. . .
***If a 2048-bit key were ever to be ... to advocate that RSA be ....
Against what we assume would take a breakthrough of great significance,
[."magnitude" is a size word, might confuse someone roughing out a
translation about key size]***
If a 2048-bit key were to ever be successfully attacked, that would be
enough to advocate RSA be abandoned completely. Against a breakthrough of
that magnitude another few thousand bits of key would likely make no
difference.
. . .
the shift to 3072-bit keys gives little additional resistance, and
4096-bit keys ***give*** an even smaller addition

***GnuPG is not for only desktop or laptop computers.***
GnuPG is not just for desktops. It has been successfully ported
. . .

2048-bit RSA is believed safe until 2030, which exceeds the
needs of most GnuPG users. If for some reason a longer duration
is needed***,*** a 4096-bit key may certainly be generated and
used, ***. But***but the defaults are meant to be appropriate
for the majority of users ***and*** not for specialized or
niche security needs.

---re #5: Is RSA-2048 really enough?

***start 2nd sentence : And other organizations to whom encryption
is important (such as RSA...*** [.The world changes, and maybe
an explicit endorsement might not be so appropriate tomorrow,
but embarassing or similar to change then. Just mentioning them
is an implicit endorsement, IMHO of course]
According to NIST, yes. Further, other well-respected organizations (such
as RSA Security) have publicly supported NIST's recommendations.

. . .
key recommendations have been superseded by those in Practical
Cryptography, which, to repeat, says ***replace "says" with
"estimates"*** RSA-2048 will be sufficient until the mid-2020s.

---re #6: Can any of the ciphers in GnuPG be brute-forced?
. . .
***In terms of current scientific understandings, the symmetric
ciphers used in GnuPG are utterly***
The symmetric ciphers used in GnuPG are utterly immune to
brute forcing. The Second Law of Thermodynamics places strict
. . .

--re #7: Has GnuPG ever been successfully attacked?

We are unaware of any successful cryptanalytic attacks against
GnuPG. However, it is still susceptible to non-cryptanalytic
attacks such as malware, unauthorized physical access,
***social engineering attacks,*** and other such things.

---re #8: Should I use PGP/MIME or inline OpenPGP for my emails?

Unfortunately, there is no clear answer.

***move "for instance" from the end to the start of the 2nd
sentence***
PGP/MIME has some distinct advantages over inline email. It
handles attachments automatically, for instance. It also separates
the signature from the document, which many people prefer over
. . .

***Mail servers further confound things. As a general tactic
against malware, any mail servers will strip off, alter, ..."
{and delete "as an anti-malware measure" from end of sentence]***
Mail servers further confound things. Many mail servers will
strip off, alter, or quarantine attachments as an anti-malware
measure. This has the effect of breaking PGP/MIME.

For many years GNU Mailman mailing-list software mangled PGP/MIME
attachments in ways that broke signatures. These ***replace
"these" with "Some"*** old Mailman installations ***like that***
still exist today.
=============
Cheers. HTH FWIW

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mailinglisten at hauke-laging

May 23, 2012, 4:03 PM

Post #9 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

Am Mi 23.05.2012, 12:18:49 schrieb Robert J. Hansen:
> I have a draft version of nine frequently asked questions ready for
> community review:
>
> http://keyservers.org/gnupgfaq.xhtml

The reason I suggested a FAQ addition is not covered :-) At least not by the
headlines. There should be a paragraph "Why does GnuPG not support more than
4096 bits?".

@ "Why does GnuPG use 2048-bit RSA by default?":
Does the g10 smartcard not count as a reason for RSA default?

@ "Has GnuPG ever been successfully attacked?"
That sounds like there has never been a security problem. El-Gamal signatures,
anyone? Furthermore:
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html

Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

Attachments:

signature.asc (0.54 KB)

rjh at sixdemonbag

May 23, 2012, 5:22 PM

Post #10 of 26 (275 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On 5/23/12 6:50 PM, reynt0 wrote:
> Also, just to mention, best to avoid smart apostrophes/quotes
> in the final version, naturally, right?

Not a whelk�s chance in a supernova. Those aren�t smart quotes, they�re
perfectly valid UTF-8 typographic marks.

"Straight quotes" and 'straight apostrophes' are artifacts of the
typewriter era, where there was simply not enough space on the keyboard
to provide proper typographic marks. If you read a book, you�ll
discover they pay attention to things like ligatures, kerning, proper
typographic marks, and all manner of other things. Centuries of use
have shown that these marks make text easier to read.

The final version that gets submitted to Werner will by necessity be
plain text, and that will probably get downshifted into dumb typewriter
markings. But so long as I�m going blind on it, reading those rows of
text again and again and again, I�m going to pay attention to the
typography.

I encourage anyone who�s writing web pages to abjure dumb typewriter
markings. In the UTF-8 era, there�s absolutely no reason why any of us
should have to put up with them.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

May 24, 2012, 2:59 AM

Post #11 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Wed, 23 May 2012 23:40, dshaw [at] jabberwocky said:

> Excellent. One note on the new text - it states that 2048-bit DSA
> keys use a 224-bit hash. In fact, a 2048-bit DSA key can use either
> 224 or 256-bit hashes. GnuPG uses 256 here (but will of course accept

For the records: Before 2.0.13, SHA-224 was used for 2048 bit DSA keys.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

May 24, 2012, 3:20 AM

Post #12 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Thu, 24 May 2012 01:03, mailinglisten [at] hauke-laging said:

> That sounds like there has never been a security problem. El-Gamal signatures,
> anyone?

Right, there was a bug in the Elgamal signature code. However this was
a regression long after we changed the default to DSA with version 0.3.0
in 1998. Only a few keys generated with those versions - and those how
created keys without using the defaults - were troubled.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rychitre at yahoo

May 24, 2012, 4:13 AM

Post #13 of 26 (274 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

Hello,
�
I want to opt out from emails. I don't see unsubscribe option. How can I opt out?
�
Thanks,
Rupali

--- On Thu, 5/24/12, Werner Koch <wk [at] gnupg> wrote:

From: Werner Koch <wk [at] gnupg>
Subject: Re: Draft of nine new FAQ questions
To: "Hauke Laging" <mailinglisten [at] hauke-laging>
Cc: gnupg-users [at] gnupg
Date: Thursday, May 24, 2012, 6:20 AM

On Thu, 24 May 2012 01:03, mailinglisten [at] hauke-laging said:

> That sounds like there has never been a security problem. El-Gamal signatures,
> anyone?

Right, there was a bug in the Elgamal signature code.� However this was
a regression long after we changed the default to DSA with version 0.3.0
in 1998.� Only a few keys generated with those versions - and those how
created keys without using the defaults - were troubled.

Salam-Shalom,

��Werner

--
Die Gedanken sind frei.� Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

May 24, 2012, 6:06 AM

Post #14 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Thu, 24 May 2012 13:13, rychitre [at] yahoo said:

> I want to opt out from emails. I don't see unsubscribe option. How can I opt out?

Have a look at the last line of each mail:

http://lists.gnupg.org/mailman/listinfo/gnupg-users

Or look into the mail headers.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

reynt0 at cs

May 24, 2012, 4:56 PM

Post #15 of 26 (273 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Wed, 23 May 2012, Robert J. Hansen wrote:

> On 5/23/12 6:50 PM, reynt0 wrote:
>> Also, just to mention, best to avoid smart apostrophes/quotes
>> in the final version, naturally, right?
>
> Not a whelk�s chance in a supernova. Those aren�t smart quotes, they�re
> perfectly valid UTF-8 typographic marks.
>
> "Straight quotes" and 'straight apostrophes' are artifacts of the
> typewriter era, where there was simply not enough space on the keyboard
> to provide proper typographic marks.
. . .

I was just guessing what they might be. They showed as
"garbage" character groups in some browser rendering.
The idea is just to maximize usability to maximum audience,
of course, however that might be obtained.
Cheers.

rjh at sixdemonbag

May 24, 2012, 5:27 PM

Post #16 of 26 (273 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On 5/24/12 7:56 PM, reynt0 wrote:
> I was just guessing what they might be. They showed as
> "garbage" character groups in some browser rendering.

They may render as 'no such glyph', depending on which font you use.
I'd suggest using a better font. :)

Also, if your browser is set to render everything as ASCII regardless of
what character set the webpage says it's using, then you'll also run
into problems. The solution here is to trust the webpage character set.

> The idea is just to maximize usability to maximum audience,

If you wish for that, I invite you to write your own.

"Maximum audience" is not the same as "maximum usability." The two are
different properties. When it comes to the written word, ease of
reading, speed of reading, and comprehension is all improved by using
reasonable typography. I consider those to be essential usability goals.

If I wanted "maximum audience," I'd try to turn the FAQ into _American
Idol_.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

May 25, 2012, 1:44 AM

Post #17 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Thu, 24 May 2012 02:22, rjh [at] sixdemonbag said:

> The final version that gets submitted to Werner will by necessity be
> plain text, and that will probably get downshifted into dumb typewriter

Keep those quotes. I like UTF-8 and it is always easier to replace them
by ticks and backticks than the other way around.

I would use them as well, but I don't yet know which keys to use.
MOD3+(,) give me the single quotes, but the commonly used MOD3+' is
bound to deaddiaeresis. For German I also need a lower quote. Finding
3 new keys with Emacs is hard ;-).

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

nicholas.cole at gmail

May 25, 2012, 3:41 AM

Post #18 of 26 (276 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

> ---re #5: �Is RSA-2048 really enough?
>
> ***start 2nd sentence : And other organizations to whom encryption
> is important (such as RSA...*** �[.The world changes, and maybe
> an explicit endorsement might not be so appropriate tomorrow,
> but embarassing or similar to change then. �Just mentioning them
> is an implicit endorsement, IMHO of course]
> According to NIST, yes. Further, other well-respected organizations (such as
> RSA Security) have publicly supported NIST's recommendations.
>
> �. . .
> key recommendations have been superseded by those in Practical Cryptography,
> which, to repeat, says ***replace "says" with
> "estimates"*** RSA-2048 will be sufficient until the mid-2020s.
>
>
> ---re #6: �Can any of the ciphers in GnuPG be brute-forced?
> �. . .
> ***In terms of current scientific understandings, the symmetric
> ciphers used in GnuPG are utterly***
> The symmetric ciphers used in GnuPG are utterly immune to
> brute forcing. �The Second Law of Thermodynamics places strict
> �. . .

and

> 7.6 .... 2048-bit keys are believed to be immune to brute-forcing until at least 2030.

There's a slight confusion in these answers that I think it would be
really helpful to address in an FAQ.

On the one-hand, this new FAQ suggests that attacking a 2048 key is
already so unfeasible that to suggest that a 3072 key would provide
additional security is a nonsense. On the other hand, there is a
sense that 2048 keys might only provide adequate security until the
mid-2020s / 2030.

Is that because the break-through that is anticipated by the second
statement is some kind of quantum computing success or some similar
advance that completely breaks RSA (and all PKI)?

In other words, what really is the status of a statement like "2048
RSA is believed safe until 2030"? Back in the 1990s, such predictions
were based on a sense of increasing computing power, and it was
possible to predict with reasonable accuracy when (for example) 512
bit RSA would look possible to factor at imaginable cost. Is the
"safe until 2030" prediction of a similar quality or just a guess at
when technologies that are currently science fiction might look
possible?

I only raise these points because this has become such a recurrent,
sometimes even tiresome theme on this mailing list, that I'd really
like the FAQ to be as comprehensive as possible.

To put the question in the form that sometimes comes up on this list -
what if one wants security until 2040? Would a 3072 key make sense in
that case or not?

Not that I think my own security needs, by the way, need anything more
than a 512 RSA key, if that... ;-)

Best wishes,

Nicholas

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 25, 2012, 5:35 AM

Post #19 of 26 (274 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On 5/25/12 6:41 AM, Nicholas Cole wrote:
> ***In terms of current scientific understandings, the symmetric
> ciphers used in GnuPG are utterly***
> The symmetric ciphers used in GnuPG are utterly immune to
> brute forcing. The Second Law of Thermodynamics places strict

I'm comfortable with things as they are. If and when Heisenberg and/or
the Second Law stop being accurate descriptions of the universe, I'll
have much bigger things to worry about than the FAQ. :)

> There's a slight confusion in these answers that I think it would be
> really helpful to address in an FAQ.

Yes, there is. Unfortunately, the answer is kind of messy.

NIST believes a 112-bit *keyspace* ("bits of security") will be
sufficient until at least 2030, but NIST never gives their reasons why.
I suspect that's because the committee wasn't able to reach an
agreement on why: one person believed X was the biggest threat and would
come to pass no sooner than 2030, another person believed Y and it would
come to pass no sooner than 2030, another person believed Z. They all
agreed "safe until 2030," so that's what got put down as a
recommendation -- but NIST reached no consensus on what particular
threat they were worried about.

NIST also believes a 2048-bit key provides a 112-bit keyspace. There's
a lot of conjecture going on there. Sure, there may be approximately
2**112 primes that would have to be checked in order to do a brute-force
factoring, but there's some evidence that RSA can be broken *without
needing to factor anything* (!!). We have no idea how to do it and no
idea how much easier this would be than brute-force factoring. (In
fact, for all we know it might be harder, although that's considered
unlikely.) Dan Boneh showed breaking RSA without factoring anything was
probably possible, but it was a nonconstructive demonstration -- we have
no idea where to begin.

So on the one hand, it's possible that brute-force factoring will have
some sort of breakthrough by 2030 (Shor's algorithm, maybe?) that will
end the useful lifespan of 2048-bit keys. And on the other hand, it's
possible that Boneh's work will have some sort of breakthrough by 2030
that will blow RSA out of the water. We don't know. It's kind of
frustrating. It's this sort of complexity that causes our crystal balls
to be all murky.

Remember, too, that we're talking about predictions *18 years out*.
That's a long, long ways. I'll be getting senior citizen's discounts at
restaurants by then. I imagine a lot of the NISTers just didn't feel
comfortable making pronouncements past 2030.

> To put the question in the form that sometimes comes up on this list -
> what if one wants security until 2040? Would a 3072 key make sense in
> that case or not?

Then you're probably best-served going hog-wild on a 4096-bit key, with
the strong caveat that nobody really has any idea whether even a 4k key
will survive until 2040.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 25, 2012, 6:24 AM

Post #20 of 26 (274 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On 5/25/12 8:35 AM, Robert J. Hansen wrote:
> Dan Boneh showed breaking RSA without factoring anything was
> probably possible, but it was a nonconstructive demonstration -- we have
> no idea where to begin.

Just realized the phrase "nonconstructive" may need to be explained.
The best way to do it is with a story.

Imagine that you and Dan Boneh [1] are in a dark room. Neither you nor
he have any idea what's in here with you, or if in fact there's anything
in here at all. You're completely ... in the dark, if you'll forgive
the pun. You begin to muse about wouldn't it be nice if there was a way
to find out exactly what else was in the room with you.

Dan listens politely, then says: "Well, figuring out what's in the room
with us is a big question. Maybe we should start smaller: let's find
out if there's *anything* in the room with us."

You scoff at this. "How are we going to do that? If we find out
*what's* in the room with us, that will tell us *if* anything's in the
room with us. How do you propose to figure out *if* anything's in the
room with us but not *what* that is?"

Now, a little-known fact about academics in computer science is that we
are all heavily-armed [2]. This is something you probably wished you
had thought about before you foolishly volunteered to be in this
metaphor, because now Dan Boneh is quick-drawing a Glock 18 with the
sort of grace and precision usually reserved for samurai movies. As he
fills the room with hot lead at nine hundred rounds per minute,
somewhere in the world Quentin Tarantino stops what he's doing and a
single tear of pride rolls down his cheek, although he is not quite sure
why.

Having fallen over in all the excitement, you quickly pull yourself to
your feet and scream out, "WHAT WAS THAT?" Somehow, your voice sounds
very tinny and far away.

Dan casually removes his earplugs and explains: "Judging from the
reverberations, we know there are walls. We just don't know where.
Judging from the sounds of fragile things breaking, we know there were
fragile things -- but we don't know what shape they're in now. And
judging from the noise of a sucking chest wound, it's a fair bet there
is some other living creature in the room with us."

You take all this in for a moment and exclaim, "Are you telling me you
just /shot another human being?!/"

"No," Dan observes. "It /could/ have been a werewolf. True, werewolves
are usually immune to conventional weapons, but I have no way of knowing
whether I was using silver bullets just there. I /may/ have shot a
human being. But I'm not ruling out the werewolf hypothesis yet, either."

At this point you look skywards and scream, "GET ME OUT OF THIS
METAPHOR! I get it already! A nonconstructive proof doesn't tell us
anything about /what/ or /why/ or /how/, it just says that something
/is/! GET ME OUT OF HERE, I don't want to spend the rest of this
metaphor in a dark room with a raving psychotic!"

Dan helpfully points out as he's reloading that werewolves suffer from
lycanthropy, not psychosis. As for you, you flee the metaphor for the
safety of a more literal world.

[1] In reality, Dan Boneh is a very nice guy, quite reasonable, and
nothing at all like I'm portraying him here.

[2] http://www.ccs.neu.edu/home/shivers/autoweapons.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mwood at IUPUI

May 25, 2012, 6:31 AM

Post #21 of 26 (273 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Fri, May 25, 2012 at 10:44:40AM +0200, Werner Koch wrote:
> On Thu, 24 May 2012 02:22, rjh [at] sixdemonbag said:
>
> > The final version that gets submitted to Werner will by necessity be
> > plain text, and that will probably get downshifted into dumb typewriter
>
> Keep those quotes. I like UTF-8 and it is always easier to replace them
> by ticks and backticks than the other way around.
>
> I would use them as well, but I don't yet know which keys to use.
> MOD3+(,) give me the single quotes, but the commonly used MOD3+' is
> bound to deaddiaeresis. For German I also need a lower quote. Finding
> 3 new keys with Emacs is hard ;-).

And life is too short to go trawling the Internet for X Compose
sequences. If I could find a comprehensive table I'd probably use
them more.

--
Mark H. Wood, Lead System Programmer mwood [at] IUPUI
Asking whether markets are efficient is like asking whether people are smart.

vedaal at nym

May 25, 2012, 7:11 AM

Post #22 of 26 (276 views)
Permalink

Draft of nine new FAQ questions [In reply to]

Robert J. Hansen rjh at sixdemonbag.org wrote on
Fri May 25 15:24:32 CEST 2012 :

> In reality, Dan Boneh is a very nice guy, quite reasonable, and
nothing at all like I'm portraying him here.

He gives a free online crypto course at Stanford
https://www.coursera.org/#course/crypto

The course is more abstract, explaining how encryption and hashing are 'acceptably secure, but not as secure as a one-time-pad',
and gives the underlying theory for symmetic ciphers, hashes, DH and RSA.

He does the video lectures, and can be reached for questions through the course's forum or by e-mail.

vedaal

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

nicholas.cole at gmail

May 25, 2012, 8:02 AM

Post #23 of 26 (273 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

>> There's a slight confusion in these answers that I think it would be
>> really helpful to address in an FAQ.
>
> Yes, there is. �Unfortunately, the answer is kind of messy.

[ snip ]

Thank you for a really good and useful answer. I hope some of that
can make it into the FAQ.

If I understand you correctly then the situation is this:

- if you want longer symmetric cyphers, then you are asking for
something that is a mathematical and physical nonsense.

- if you use longer RSA keys, you are being unduly paranoid, and
asking for something that would make life awkward for mobile devices,
etc, but not asking for something that is a complete nonsense -- just
unhelpfully paranoid.

I think it would be good if the FAQ managed to capture that.

Best,

Nicholas

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

reynt0 at cs

May 25, 2012, 4:06 PM

Post #24 of 26 (274 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Thu, 24 May 2012, Robert J. Hansen wrote:

> On 5/24/12 7:56 PM, reynt0 wrote:
. . .
>> The idea is just to maximize usability to maximum audience,
. . .
> "Maximum audience" is not the same as "maximum usability." The two are
> different properties. When it comes to the written word, ease of
> reading, speed of reading, and comprehension is all improved by using
> reasonable typography. I consider those to be essential usability goals.
>
> If I wanted "maximum audience," I'd try to turn the FAQ into _American
> Idol_.

Hmmm....., I wonder how music and little animated GIF dancers
pointing to the most important parts might look. *<:^}
Cheers.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

holtzm at cox

May 25, 2012, 4:30 PM

Post #25 of 26 (273 views)
Permalink

Re: Draft of nine new FAQ questions [In reply to]

On Fri, May 25, 2012 at 09:24:32AM -0400, Robert J. Hansen wrote:

.......snip......
>
> At this point you look skywards and scream, "GET ME OUT OF THIS
> METAPHOR! I get it already! A nonconstructive proof doesn't tell us
> anything about /what/ or /why/ or /how/, it just says that something
> /is/! GET ME OUT OF HERE, I don't want to spend the rest of this
> metaphor in a dark room with a raving psychotic!"
>
> Dan helpfully points out as he's reloading that werewolves suffer from
> lycanthropy, not psychosis. As for you, you flee the metaphor for the
> safety of a more literal world.
>
>
>
> [1] In reality, Dan Boneh is a very nice guy, quite reasonable, and
> nothing at all like I'm portraying him here.
>
> [2] http://www.ccs.neu.edu/home/shivers/autoweapons.html

The link is absolutely great!

--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279

Attachments:

signature.asc (0.19 KB)

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads