On Tue, 17 Mar 2015 20:44, r...@sixdemonbag.org said: > Given that 2.1 introduces a lot of new capabilities (mostly with respect > to ECC), I think now, early on in the 2.1 series, would be a good time > to discuss changing the defaults for newly-generated certificates.
Let's do a quick check of the status quo (I removed some of the extra diagnostics from the examples): Create a new key: $ gpg --no-options --quick-gen-key 'test key <f...@example.org>' About to create a key for: "test key <f...@example.org>" Continue? (Y/n) y public and secret key created and signed. pub rsa2048/50C4476F 2015-03-18 Key fingerprint = 11E9 91C2 36E0 21A6 1E35 A682 68CC E4C2 50C4 476F uid [ultimate] test key <f...@example.org> sub rsa2048/807D0FF4 2015-03-18 What are the preferences: $ gpg --no-options --edit-key 50C4476F gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc. Secret key is available. pub rsa2048/50C4476F created: 2015-03-18 expires: never usage: SC trust: ultimate validity: ultimate sub rsa2048/807D0FF4 created: 2015-03-18 expires: never usage: E [ultimate] (1). test key <f...@example.org> gpg> showpref [ultimate] (1). test key <f...@example.org> Cipher: AES256, AES192, AES, 3DES Digest: SHA256, SHA384, SHA512, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Sign something (there is only the above new key in the keyring): $ fortune | gpg --no-options --clearsign -v -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Whenever people agree with me I always feel I must be wrong. -- Oscar Wilde gpg: RSA/SHA256 signature from: "50C4476F test key <f...@example.org>" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVCSpjAAoJEGjM5MJQxEdvQOUH/1G0xVxUppAHjqy6E5h8Pds+ R9IhpACMwx+b01KudyTQ1rw1Y6Gy47vRhtaZaY9H7g9Ua8N7CtDWDUlbN/A+vovr 7NX7yh8VXNqTYg9iCbwtL3KrN5b+gImWC7XxKgmJ5MqtRdOnjrGRG+R/1Yz/K6+3 dKtD+o7WSToWiZRaqraIEFaHuHHPhhTbZd9rPkkoVhR8IfuwVP9WiWgL1En1khiC jNN4XBTO6JYm9wxYnbKTr5pIkNIdkXJEXSSO0VDu+jcx0eXiQlHVM2Za+8F0e59o rhaD61+7MFRp7W85eq9DphK8ZQkYSiVFmxP05KtBn0ym+CWyOZQTknJTZq2rpGI= =TRJn -----END PGP SIGNATURE----- Do an symmetric encryption: $ fortune | gpg --no-options -ca -v gpg: using cipher AES gpg: writing to stdout -----BEGIN PGP MESSAGE----- Version: GnuPG v2 jA0EBwMCEKZ9P8JsqIXk0n0BXv33OI6+DtCIKj4eizkTHI4uFnlwYxa8mGDmNPZX 7f8Q0f5L621bNvyIgCrV+gmfMXbXd2jtUXOAu0Q/g9gpkNEQhEJKcFBk1VDaAM0j dg8LeF/iT8HUjSmsWXbOCvYRh3MtIbYSEC299yBZJ+gG44Akgypl80dubLXhcA== =doWz -----END PGP MESSAGE----- Now: > * Offer Brainpool-512 and RSA-3072 as options for > newly-generated certificates The default is RSA-2048 but there is an option to create RSA-3072. GUIs may choose there own defaults. Using Brainpool as default for ECC (by the time we can get ECC out of the export mode) is obvious something the German secret services would like to see. Given recent revelations about the BSI and its support for "remote forensic toolkits" (aka Federal Trojan Tool) won't convince people that Brainpool curves are safer than NIST curves. Anyway the plan is to make Curve25519 the default for ECC. There are also options for stronger ECC curves not related to US or European standard bodies. > * Use AES256 for a symmetric cipher As shown above AES128 (AES) is the default for symmetric encryption. Symmetric encryption is for whatever reasons commonly used for bulk data encryption and performace si a matter here: AES | nanosecs/byte mebibytes/sec cycles/byte CFB enc | 1.77 ns/B 537.9 MiB/s 4.08 c/B CFB dec | 0.365 ns/B 2612.1 MiB/s 0.840 c/B AES256 CFB enc | 2.47 ns/B 386.5 MiB/s 5.67 c/B CFB dec | 0.530 ns/B 1799.4 MiB/s 1.22 c/B Thus on my X220 you get a 40% speedup by using 128 bit AES. Well, the number are from Libgcrypt and don't include the overhead due to the protocol but it is faster. For public key encryption AES-256 will anyway be used by default. > * Raise a warning if the user attempts to encrypt more > than 4 GiB with an old (64-bit block) cipher Except for 3DES there is no 64 bit block cipher in the preferences: Cipher: AES256, AES192, AES, 3DES A key capable of only 3DES will be rare and must have been created on purpose or by very old software. They want 3DES and thus they get it. > * Only use CAST5 if the user explicitly requests it via > default-cipher-preferences: prefer 3DES over CAST5 Already done. See above. > * Only use IDEA if the user explicitly requests it via > default-cipher-preferences: prefer 3DES over IDEA IDEA is not included in the preferences. > * Use SHA256 for RSA-3072/-4096 signatures and SHA512 > for Brainpool-512 Already used even for RSA-2048. See example above. > * CAST5 is not in good health: as was recently mentioned in > the IETF WG mailing list, the Canadians themselves still I have seen no arguments why CAST5-128 as used by OpenPGP is now weaker than other 64 ciphers. BTW, the post mentioning CAST5 also falsely claimed that CAST5 is a 128 bit blocksize cipher. Maybe the confusion comes from the fact CAST is actually a method to create block ciphers. But we it is not used anway. > * 3DES is still the Rock of Gibraltar. Big, slow, ungainly, > and strong. It's nobody's idea of a good modern cipher, but Here are the numbers; for fairness AES-NI (Intel's AES hardware support) has been disabled: AES | nanosecs/byte mebibytes/sec cycles/byte CFB enc | 3.88 ns/B 245.8 MiB/s 8.92 c/B CFB dec | 3.18 ns/B 299.6 MiB/s 7.32 c/B 3DES CFB enc | 37.69 ns/B 25.30 MiB/s 86.69 c/B CFB dec | 20.04 ns/B 47.58 MiB/s 46.10 c/B Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users