On 06/28/2014 12:09 AM, Robert J. Hansen wrote: > When faced with that, it's only a matter of time until Alice decides to > put 3DES first in her own preference list. And then all her > communications to Bob have 112 bits of keyspace, not the 256 Bob > demands.
I think you're talking about personal-cipher-preferences here, which Alice uses to govern the cipher she uses. Note that she could even put IDEA first here. Are you suggesting that she *removes* all other cipher algorithms from her advertised preference list as well, or does she actually advertise all ciphers her openPGP implementation is capable of? > And unless Bob is paranoid enough to check the symmetric > algorithm used on every single encrypted message, Bob will never know > that Alice's communications to him have been degraded. well, OK. Alice could also publish the cleartext on her blog, and Bob would never know it if he doesn't read her blog. Bob can't control what Alice does; what he can do is to advertise his preferences in a cryptographically-verifiable way, and set *his own* personal-cipher-preferences to prefer stronger ciphers. then, unless Alice has actively removed all ciphers from her advertised preferences except for 3DES, Bob's personal-cipher-preferences will take precedence in the messages that he sends. I feel like i shouldn't have to point this out, but: * This is what the best practices page we've been discussing is suggesting. This is the right thing to do, and Bob should do it, regardless of whatever bad advice Alice has bought into. Arguing that it's hopeless/pointless/harmful to prefer stronger ciphers yourself because one of your correspondents might be tricked into disabling stronger ciphers makes no sense from either a security or interoperability perspective. I'm really sorry to hear about your graduate student debt, Rob, but this is not the best way to pay it off :P > Werner and others are absolutely right: there is no *technical* way to > degrade things to 3DES. But given that cipher preference lists are > fundamentally a *human* decision, well... the human being is always > exploitable. Of course. And we should make our defaults better and encourage stronger mechanisms for everyone, instead of trying to claim that using well-known, widely-adopted, clearly-specified, longstanding algorithms is somehow "breaking the spec". I'm sure you're not trying to claim that AES is actually a worse cipher than DES, or that members of the SHA-2 family are actually worse digests than SHA-1. So i think the scenario you paint above reinforces the points made by the riseup best practices document. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users