Re: Can you clarify when data compression is used?
On Sat, Feb 09, 2008 at 11:29:08PM -0600, Kevin Hilton wrote: > >Twofish is almost entirely abandoned nowadays, but it still exists in > >PGP and GnuPG. Once a bad decision is made in engineering, the > >engineers are stuck supporting it forever. > > Is this statement really true or just opinion? Bruce Schneier is one > of my favorite cryptoanalysts. It's basically true, at least in the context of OpenPGP. Note that the statement doesn't say that Twofish is insecure. It's just that when AES came along, it eclipsed many/most of the ciphers with similar capabilities. >From the perspective of the researcher who wants to attack a cipher, they'll attack AES because lots of people use it. From the perspective of the user of crypto, they'll use AES because of all the research on it. Repeat this cycle enough times, and you can see why Twofish isn't used much. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Kevin Hilton wrote: > Is this statement really true or just opinion? Bruce Schneier is one > of my favorite cryptoanalysts. Bruce recommends against using Twofish for crypto applications. He has never backed off from either of two claims: 1. Twofish is a secure cipher that would have made an excellent AES. 2. People should use AES for symmetric crypto needs. He has said #1 many times and keeps a page on his site devoted to the most recent research into Twofish. He has said #2 many times, particularly in his book _Practical Cryptography_. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
>Twofish is almost entirely abandoned nowadays, but it still exists in >PGP and GnuPG. Once a bad decision is made in engineering, the >engineers are stuck supporting it forever. Is this statement really true or just opinion? Bruce Schneier is one of my favorite cryptoanalysts. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Mon, Feb 04, 2008 at 11:12:02PM -0600, Robert J. Hansen wrote: > I suspect--although I do not know--that a similar motivation drove > GnuPG's decision to leave DSA-1024 as the standard. That's basically the reason. While GPG fully supports DSA2 signatures today, there are a large installed base that cannot handle them. Because of this, we decided to fully accept DSA2 keys and signatures from elsewhere, but won't generate a new DSA2 key unless the user opts in with --enable-dsa2. > Now that RFC4880 has come out, supplanting RFC2440, I imagine the way is > clear to make all new keys DSA-2048 or DSA-3072. After all, now it's > part of the standard. The way is clear, and we'll get there eventually, but the installed base is still pretty old. Using --rfc4880 or --openpgp does enable DSA2, but the default is still off. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Kevin Hilton wrote: > In the same vain, aren't keys sizes larger than 1024 > bits actually now recommended? As I understand it, it's largely due to engineering concerns than mathematical concerns. The RFC which specifies the OpenPGP protocol first came out in 1998. It began to receive revisions almost immediately (the -bis series: RFC2440bis1, RFC2440bis2, etc.). These -bis series were meant as previews of the next official RFC, whenever it would be published. However, the original RFC remained canonical. That specified DSA-1024. In order to closely follow the RFC, GnuPG left the default as DSA-1024. This was probably the right call to make for interoperability reasons. As an example of what happens when people decide to move beyond the RFC, look at PGP 7.0. Management at PGP Security decided that Twofish was the likely winner of the AES competition, and so they put Twofish into PGP. This put pressure on GnuPG to put Twofish into GnuPG, in order to interoperate with PGP. Twofish is almost entirely abandoned nowadays, but it still exists in PGP and GnuPG. Once a bad decision is made in engineering, the engineers are stuck supporting it forever. Take a look through the archives sometime and see how many people have bitterly complained about TIGER192 no longer being supported, despite the fact it was part of GnuPG for about three and a half milliseconds. I suspect--although I do not know--that a similar motivation drove GnuPG's decision to leave DSA-1024 as the standard. Now that RFC4880 has come out, supplanting RFC2440, I imagine the way is clear to make all new keys DSA-2048 or DSA-3072. After all, now it's part of the standard. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
>As of 1.4.8 and 2.0.8, and subject to change in future versions: > >Cipher: AES256, AES192, AES, CAST5, 3DES >Hash: SHA1, SHA256, RIPEMD160 >Compression: ZLIB, BZIP2, ZIP, None You are absolutely correct about these settings. Perhaps this should be included in documentation (and changed when needed), since I would consider these to be the default settings for cipher, hash, and compression choice. >All the --enable-dsa2 switch >does (and again, it's off by default in 1.4.8 and 2.0.8), is allow you >to generate a DSA key that is larger than 1024 bits or has a hash >larger than 160 bits. This seems peculiar to me. Why is this setting turned off by default? I'm not at war with anyone in these forums, but many have acknowledged the shortcomings of using 160 bit hashes -- at least with the SHA1 hash. In the same vain, aren't keys sizes larger than 1024 bits actually now recommended? The default fallback allows the creation of a 1024 bit DSA key utilizing the SHA-1 hash -- the preferred preference. Again I know nothing about cryptography but based on the links provided by users' of this forum, it would seem that the choice or a larger DSA key and different hash would be preferable?. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Mon, Feb 04, 2008 at 09:26:14PM -0600, Kevin Hilton wrote: > Im aware of the personal cipher preferences and personal hash > preferences, but when talking about the defaults I specifically asking > if gpg were installed from source -- no modifications made -- and gpg > keys were created - what default cipher and hash would be listed first > in the list with the keys? > > Without any intervention > gpg-key-gen > > It appears to manually choose a DSA signing key (DSA vs DSA2 -- > ambiguous since the man pages contain a switch to --enable-dsa2 in the > gpg.conf file) with SHA1 hash -- or at least the SHA1 hash is ranked > first in the key preference list As I said earlier, DSA. Trust me. It's really DSA. DSA doesn't have a particular hash (so it can't have SHA1 or anything else as a hash). It has a hash length. Don't get hung up on the DSA/DSA2 thing. In actuality, there is no such algorithm as "DSA2". Most people call DSA with a key larger than 1024 bits or a hash larger than 160 bits "DSA2" for convenience. All the --enable-dsa2 switch does (and again, it's off by default in 1.4.8 and 2.0.8), is allow you to generate a DSA key that is larger than 1024 bits or has a hash larger than 160 bits. > For the encryption key - a ElGamal 2048 bit key is the default with > AES chosen as the first cipher contained in the key cipher preference. No. The first cipher is AES256. AES and AES256 are not the same cipher (AES in OpenPGP is AES128). > What I want to know is obviously GnuPG comes with a > --default-preference-list "built-in". If I dont specify this setting > in the gpg.conf file, what string is used by default? This would > basically reveal the order and list of all the defaults for ciphers, > hashes, and compression settings. As of 1.4.8 and 2.0.8, and subject to change in future versions: Cipher: AES256, AES192, AES, CAST5, 3DES Hash:SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, None You could see this for yourself: generate a key, and run "showpref" on it (which is in the manual, by the way). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Im aware of the personal cipher preferences and personal hash preferences, but when talking about the defaults I specifically asking if gpg were installed from source -- no modifications made -- and gpg keys were created - what default cipher and hash would be listed first in the list with the keys? Without any intervention gpg-key-gen It appears to manually choose a DSA signing key (DSA vs DSA2 -- ambiguous since the man pages contain a switch to --enable-dsa2 in the gpg.conf file) with SHA1 hash -- or at least the SHA1 hash is ranked first in the key preference list For the encryption key - a ElGamal 2048 bit key is the default with AES chosen as the first cipher contained in the key cipher preference. Basically I'm aware of the --default-preference-list option in the gpg.conf file that control preferences during key generation. I know how to use this option, but sadly I think the explanation is really lacking: --default-preference-list string Set the list of default preferences to string. This prefer- ence list is used for new keys and becomes the default for "setpref" in the edit menu. What I want to know is obviously GnuPG comes with a --default-preference-list "built-in". If I dont specify this setting in the gpg.conf file, what string is used by default? This would basically reveal the order and list of all the defaults for ciphers, hashes, and compression settings. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
David Shaw wrote: > GPG doesn't use the Stable Marriage Problem when picking algorithms, > as this gives too much "power" to the recipients in choosing which > algorithm is used. It wasn't my intention to claim the SMP was used directly, but rather that it was an analogous process. It's a good introduction to the idea of mathematical preference matching. I apologize for any confusion generated there. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Mon, Feb 04, 2008 at 12:57:34PM -0600, Robert J. Hansen wrote: > Kevin Hilton wrote: > > The problem I have, is that no where in the documentation are the > > defaults specified. > > >From the first full paragraph of the manpage: "[GnuPG] is a tool to > provide digital encryption and signing services using the OpenPGP > standard. [GnuPG] features complete key management and all bells and > whistles you can expect from a decent OpenPGP implementation." > > To me, that language is pretty clear about where you should look--the > OpenPGP standard, aka RFC4880, or its immediate predecessor RFC2440. > > That said, just because I think it's clear doesn't necessarily means it > /is/ clear. If it turns out that language is confusing or unclear, it > should definitely be changed to point people in the right direction. The RFC doesn't specify default algorithms, aside from requiring 3DES as the algorithm of last resort. All decisions about algorithm ranking are made by the implementations and indirectly, the user. It's hard to list default algorithms in the man page mainly because there isn't a single answer. Different people will get a different default algorithm depending on who they are sending a message to, and possibly even by the order in which they specify the recipients on the command line (see below). All of this would need many paragraphs of explanation, and that's not really appropriate for a man page. I do agree it would be good for it to be documented somewhere, though. > > I'm still confused what default cipher is chosen automatically (for > > me its AES). > > http://en.wikipedia.org/wiki/Stable_marriage_problem GPG doesn't use the Stable Marriage Problem when picking algorithms, as this gives too much "power" to the recipients in choosing which algorithm is used. Rather, the intersection of preferences for all recipients is generated, leaving an unordered list of algorithms that are possible contenders for use. At this point, note that it would be possible to pick an algorithm from the list randomly, as there is no algorithm on the list that isn't usable for all recipients. GPG uses the personal-(whatever)-preferences as the final decider. It works its way down the personal preferences list in ranked order, consulting the personal preferences against the generated intersection list of recipient algorithms. This gives the user the power to decide what algorithms he or she generates, which is putting the power in the right place. If there are no personal-foo-preferences in use, then GPG uses the first key specified as the decider. This key is frequently the user's key, so is a reasonable choice to pick the favored algorithm. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Kevin Hilton wrote: > The problem I have, is that no where in the documentation are the > defaults specified. >From the first full paragraph of the manpage: "[GnuPG] is a tool to provide digital encryption and signing services using the OpenPGP standard. [GnuPG] features complete key management and all bells and whistles you can expect from a decent OpenPGP implementation." To me, that language is pretty clear about where you should look--the OpenPGP standard, aka RFC4880, or its immediate predecessor RFC2440. That said, just because I think it's clear doesn't necessarily means it /is/ clear. If it turns out that language is confusing or unclear, it should definitely be changed to point people in the right direction. I wonder who the GnuPG documentation czar is. Hmm. I don't know if that's ever been mentioned on the list--David, Werner, who's responsible for the docs? > I'm still confused what default cipher is chosen automatically (for > me its AES). http://en.wikipedia.org/wiki/Stable_marriage_problem Everyone has a ranked list of preferences. The preferences of all recipients are considered and the stable marriage problem solved. The outcome of that computation is what algorithm GnuPG will use. 3DES is implicitly in everyone's preference list, so it can be fairly said that 3DES is the default cipher preference. Even if everything else goes to hell, 3DES will be available and will be selected. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Mon, Feb 04, 2008 at 07:35:11AM -0600, Kevin Hilton wrote: > > > > > > The one specific piece of advice: > > > > * Unless you can articulate a clear need why the defaults will not > >work for your purpose, stick with the defaults. > > I think I've seen this piece of advice before, and for the most part I > agree with it. The problem I have, is that no where in the > documentation are the defaults specified. You want me to trust the > defaults, but my contention is, at least tell me what the defaults are > -- no explanation needed. We had this discussion with the default > cipher and hash choices. When you tell me that dsa2 is enabled by > default (in newer GnuPG versions), however in the man pages there is > still a --enable-dsa2 flag, I hope you understand my confusion. DSA2 is not enabled by default. It can be enabled with --openpgp or --rfc4880 (or --enable-dsa2 of course). > I'm still confused what default cipher is chosen automatically (for > me its AES). There isn't a straightforward answer. Basically, there is a list of ciphers that is put in each key by default. Currently that list is AES256, AES192, AES, CAST5, and 3DES, but it can be changed at key generation time (via the --default-preference-list option), or any time afterwards (via the --edit-key command "setpref"). At encryption time, the list of possible ciphers is retrieved from each recipient key, and a cipher is chosen that all recipients can handle. This guarantees that you never send a message that your recipient won't be able to read. It isn't always AES for you - it's just that for that particular message, AES happened to work for all the recipients. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Mon, Feb 04, 2008 at 01:17:48AM -0600, Kevin Hilton wrote: > On Feb 4, 2008 1:17 AM, Kevin Hilton <[EMAIL PROTECTED]> wrote: > > > Although not supported on all systems (and not included on ubuntu by > > default if you can believe it), does bzip2 offers the highest compression? It depends on what you are compressing. BZip2 tends to do better than zip against straight text, for example. > > I know that --personal-compress-preferences may be included in the > > gpg.conf file to take advantage of bzip2 or zlib if desired. Does PGP > > still only recognize ZIP or no compression? Current PGP handles BZip2, ZLIB, and Zip (and of course no compression). Even if you're communicating with a person whose program doesn't support BZip2, it is safe to put BZip2 in your personal-compress-preferences. Those preferences are only used if all parties agree, so you won't accidentally create an interoperability problem. This is true of all the personal-(whatever)-preferences lists. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Sun, Feb 03, 2008 at 11:48:13PM -0600, Kevin Hilton wrote: > Is the data compression algorithm applied to the text prior to being > converted to ciphertext, or is the ciphertext compressed, or is it the > combination of the ciphertext and encrypted session key that is compressed? Prior. Ciphertext doesn't compress particularly well. Plus, there is a minor (as in "don't rely on it, but it's nice to have") security improvement in encrypting already-compressed data. > I can't seem to find any documentation discussing this. RFC-4880 documents this. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
> > > The one specific piece of advice: > > * Unless you can articulate a clear need why the defaults will not >work for your purpose, stick with the defaults. I think I've seen this piece of advice before, and for the most part I agree with it. The problem I have, is that no where in the documentation are the defaults specified. You want me to trust the defaults, but my contention is, at least tell me what the defaults are -- no explanation needed. We had this discussion with the default cipher and hash choices. When you tell me that dsa2 is enabled by default (in newer GnuPG versions), however in the man pages there is still a --enable-dsa2 flag, I hope you understand my confusion. I'm still confused what default cipher is chosen automatically (for me its AES). Again the man pages should accurately represent the defaults, and changes should be made to the documentation when changes to the defaults are added or subtracted. I don't think the current GnuPG manual is complete in any way nor in any way conveys what are the default settings. Its disingenuous for the program creators to expect me to trust the defaults without at least conveying them to me. Rant over, I apologize to the community. -- Kevin Hilton ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Kevin Hilton wrote: > Although not supported on all systems (and not included on ubuntu > by default if you can believe it), does bzip2 offers the highest > compression? The question is meaningless. It's predicated on the assumption that there exists a ranking scheme by which bzip2 will always beat zip for compression, or vice-versa. The reality is that compression algorithms have certain tasks they're good at and certain tasks they're awful at. E.g., try compressing ciphertext sometime with either bzip2 or zip. You won't see any meaningful difference; both are equally awful at this. Compressing PE/COFF versus ELF binaries will give different results. Etc., etc., etc. I can give only two bits of very broad advice, and one piece of specific advice. The two generals: * In most categories people care about, bzip2 offers better compression but is much slower. * Bandwidth is cheap. It's not worth introducing interoperability problems just to get a slightly smaller file. The one specific piece of advice: * Unless you can articulate a clear need why the defaults will not work for your purpose, stick with the defaults. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
On Feb 4, 2008 1:17 AM, Kevin Hilton <[EMAIL PROTECTED]> wrote: > Although not supported on all systems (and not included on ubuntu by > default if you can believe it), does bzip2 offers the highest compression? > I know that --personal-compress-preferences may be included in the > gpg.conf file to take advantage of bzip2 or zlib if desired. Does PGP > still only recognize ZIP or no compression? > -- Kevin Hilton ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can you clarify when data compression is used?
Kevin Hilton wrote: > Is the data compression algorithm applied to the text prior to being > converted to ciphertext, or is the ciphertext compressed, or is it the > combination of the ciphertext and encrypted session key that is > compressed? Prior. Ciphertext from a strong algorithm cannot be compressed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Can you clarify when data compression is used?
Is the data compression algorithm applied to the text prior to being converted to ciphertext, or is the ciphertext compressed, or is it the combination of the ciphertext and encrypted session key that is compressed? I can't seem to find any documentation discussing this. -- Kevin Hilton ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users