Re: Should one really disable AEAD for recent GnuPG created PGP keys?
It seems to me that there are at least 3 decisions to make when considering the implementation a new block cipher mode: 1. If your implementation will receive the block mode. Receiving a block mode does not cause an interoperability problem. If anything, this improves interoperability. 2. If your implementation will generate the block mode. This can possibly cause incompatibility. 3. If your implementation will cause other implementations to generate the block mode. This can also possibly cause incompatibility. So if you were interested in seeing a new block mode in OpenPGP, there is no reason not to do #1. The controversial parts are #2 and #3. If you were interested, in say, having the OCB block mode in OpenPGP then you would have the greatest chance of success by implementing the most popular version of the available 2 proposals. Correct me if I am wrong, but that would be the LibrePGP (4880bis) version. So just to be clear, I am not complaining that GnuPG implemented the LibrePGP version of OCB. I am complaining that GnuPGP did #2 and #3 before implementation was close to universal and did not clearly spell out the implications to the users. Speaking of documentation, the implementations that support LibrePGP OCB could be promoting the the non-controversial aspects of the new mode. That could help with adoption. Dunno, something like: Now with super ultra performance! Just add the "--performance" option and get up to 400% faster encryption! ... where "--performance" would turn off compression, enable the OCB block cipher mode and do whatever else will speed things up. The user, of course, would be made aware the the resulting files might not be decryptable everywhere. Arch Linux is just dropping #3 with their patch. Their version of GnuPGP still supports the OCB mode and can generate it. So they are not really taking a political stance. The history of Linux distribution patches for stuff like this is not good (the Debian patch against Openssl for example). It would be better if Linux distributions were not tempted to issue such patches. There really should be a better way of doing this. Otherwise the users will encounter different behaviour on different Linux distributions. Bruce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should one really disable AEAD for recent GnuPG created PGP keys?
Hi! On Tue, 5 Mar 2024 12:39, Tobias Leupold said: > Sorry for asking another thing about this. For sure, I didn't want to set off > an avalanche, and I still don't want to. But from a user's perspective, this > is simply very confusing and also unsettling. You are right. What I can do is to give my perspective of this which is based on my experience re-implementing a free PGP version since 1997 and while doing that taking part in the OpenPGP specification process which started at the same time. > https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys > > The answer started with: > >> While authenticated encryption (AEAD) is good - especially for something >> like OpenPGP, which is an old and over-complicated standard that has a >> concerning large attack surface for vulnerabilities or simple implementation This introduction is pretty unfair but unfortunately as common on the net as the "PGP is way too complicate for anyone to use" claim. In reality PGP (in the form of GnuPG and Thunderbird) is used daily by million of people who consciously choose to protect their mails and data. If you want to see an over-complicated standard, have a look at S/MIME (aka CMS, X.509) which is implemented by all major mailers but has not the good repudiation of *PGP. See also [1]. The above answer by CBHacking continues: I definitely can't recommend enabling a non-standardized compatibility-breaking feature by default, and frankly feel that GnuPG made a major error in doing so. That is factual wrong. RNP, the core of Thunderbird's OpenPGP implementation, implemented this too. But instead of fixing all the stuff which got lost during the migration from Enigmail to TB's new OpenPGP code the TB maintainer now wants to remove support for OCB from TB. IETF specifications are not a standard but a specification how certain things are commonly implemented. The meanwhile most used public key algorithm (Curve25519) is not specified in OpenPGP but nevertheless less widely used and accepted. From a security perspective, I'm not even sure that just adding an OCB-based AEAD mode actually helps anything, in expectation; OpenPGP messages can already be authenticated in a few different ways, so arguably the likeliest source of security flaws is that the message S/he is right that formats get more complex and that we already have Authenticated Encryption (the core feature of AEAD) in OpenPGP but exactly that old format is complex and hard to implement. OTOH, the new OCB based Authenticated Encryption is a straightforward implementation of a well reseached mode and the gold standard for all block cipher modes. The old format in OpenPG was an ad-hoc implementation of Authenticated Encryption on top of the legacy PGP-2 format. Thus in the long run the new OCB mode will reduce the complexity. The answer shows in bold: Given that you work with non-GnuPG clients, and that this feature is not part of the OpenPGP specification, and that OpenPGP already includes message authentication and integrity, I recommend disabling this feature for now. With the same argument you could also stop using TLS 1.3 and instead keep on using TLS 1.2 in eternity. In most cases 1.3 has no real world advantages when done right. However, most sites allow for both 1.3 and 1.2 and only a few disallow 1.2 which leads to the same problems as we see with the removal of support by some application and some Linux distros. Note that you'll have to re-encrypt the data for non-GPG clients after disabling this non-standard feature. Also most other things CBHacking wrote are okay, this one is simply wrong. This is not a gpg only feature. > from somebody with an impressive reputation on the network, for whom I > suppose Well, some anonmyous account on stackexchange. I can't tell. Salam-Shalom, Werner [1] Let me quote Peter Gutman, a really well repudiated expert on all things security, on S/MIME: "As a result there's no pressure on the people involved in PKI standardisation to create anything that meets any real-world requirement, allowing them instead to spend their time building great gothic cathedrals of infinite complexity whose sole purpose seems to be to strike awe and terror into the masses." I hope that *PGP stops evolving into this direction. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should one really disable AEAD for recent GnuPG created PGP keys?
Sorry for asking another thing about this. For sure, I didn't want to set off an avalanche, and I still don't want to. But from a user's perspective, this is simply very confusing and also unsettling. I think that somewhere, there should be some documentation, FAQ or whatever, as a definitive source for the correct facts. Because we have this statement: > That is not a GnuPG specific but an agreed upon format by the participants > of the OpenPGP WG and implemented by all major implementations. Which does not match what others say (apart from Vincent's statement) ... e.g. I also asked for what to do on Stack Exchange: https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys The answer started with: > While authenticated encryption (AEAD) is good - especially for something > like OpenPGP, which is an old and over-complicated standard that has a > concerning large attack surface for vulnerabilities or simple implementation > errors - I definitely can't recommend enabling a non-standardized > compatibility-breaking feature by default, and frankly feel that GnuPG made > a major error in doing so from somebody with an impressive reputation on the network, for whom I suppose he knows what he's talking about. So: Is this standardized, or is it not? As said: I don't want to provoke a flame war. I'm just interested in objective facts ... ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Your message to Gnupg-users awaits moderator approval
On Mon, 4 Mar 2024 15:34, Matěj Cepl said: > like this one. My key has been signed by 60+ signatures, but > still 45K just for that seems excessive. Is there some way how to > generate something meaningful, which would be smaller? gpg --export -a --export-options export-minimal FOO >foo.asc this keeps just your self-signatures. There are other ways too but they are more complicated. Ley me quickly raise the limit on the mailing list. I has been setup a lng time ago. I guess 100k should be sufficient. BTW, thanks to the nice folks who silently do their moderator jobs for years and years. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should one really disable AEAD for recent GnuPG created PGP keys?
On Mon, 4 Mar 2024 19:05, Tobias Leupold said: > IMO interoperability with GnuPG is crucial for this project. Most > people using that on their phones will come from Linux, or they will Actually most users will come from Windows ;-) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should one really disable AEAD for recent GnuPG created PGP keys?
On Tue, 5 Mar 2024 00:16, Vincent Breitmoser said: > The packet format referred to here is GnuPG-specific. In November Vincent, please stop spreading wrong facts. That is not a GnuPG specific but an agreed upon format by the participants of the OpenPGP WG and implemented by all major implementations. This was done in the same way we handle that since 1997 - the implementers agreed upon some format, implemented it and later described it some draft document. For example the current AEAD mode (CFB+MDC) was agreed upon in the year 2000 and implemented by both existing implementations (PGP and GnuPG). If took then 8 years before it was codified in an RFC. Same thing for modern ECC curves - implemented by everyone but no detailed specs out there. Modern AEAD mode (OCB) was specified and cross-tested in 2018 but some people, driving their own agenda, dropped that in fall 2021 and came up with another format with no solid reason. Bruce: I understand your claims and we have been very careful not to break anything when implementing a modern mode. That mode is really required because the old CFB+MDC is slow and policy makers don';t like it because it is not on their list of modern algorithms. The problem here is that group of newcomers with their niche implementations who want to gain an advantage compared to the existing implementations. Unfortunately supported by a few people like Vincent who patch out things or don't use their existing stuff. OTOH, it is not a real problem because they are, well, niche implementations, albeit with a loud voice. > 2023, GnuPG forked the OpenPGP standard as "LibrePGP", in protest of Right, Ribose and GnuPG came up with that site to explain what was going wrong and to have a descriptive name for the actual OpenPGP standard in current use. All has been said and there is no need to continue spreading wrong facts from your rebellion group aiming to discredit the most widely used standard for mail and data encryption. Please go to your own list and continue there. Here is no place to repeat that. My last word on this on this ML. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users