Enigmail Forum

[Adam]

I'm gonna extend the question from Shane's postabout key types and SHA selections.

It seems that most people who have voted agree that we should encourage the use of RSA and more secure SHA signing algorithms. Based on the fact that SHA1 has a proven weakness (see this article: http://en.wikipedia.org/wiki/SHA256 ), do you think that the default option in Enigmail should be to generate an RSA key, and use SHA256 as opposed to the current default of DSA/El Gamal and SHA1?

[olav]

SUMMARY

I think that Enigmail should use the GnuPG standard settings to create new keys. The GnuPG folks will know when to switch to a more secure standard.

FULL STORY

If one does not agree with that standard he will know enough to create a non-standard key pair without Enigmail. Enigmail's OpenPGP functionality is aimed at the lesser skilled people that do not know about the differences between DSA and RSA and SHA1 weaknesses. But GnuPG people do know and do care and I think that the common user is fine trusting their judgement when the time has come to switch to a different standard.

[Saber_Rider]

FULL ACK Olav.

[shane]

I think Olav is correct, and that the GnuPG team are the best to follow on this matter. Our default should not be different from what they use as default. However, what about encouraging slightly more advanced users to use a certain configuration? That's where my RSA/AES512 idea came from.

[Adam]

To be honest, I hadn't considered that the default key was selected by GnuPG rather than Enigmail, so I think you are correct in saying that the Enigmail team shouldn't change that default setting.

It does strike me as strange, however, that GnuPG defaults to a standard that has been proven to have a potential flaw. I'm aware that the 1:9,223,372,036,854,775,808 (1:2^63) chance of the key being exploited is remote to say the least, but when I discovered the flaw in the keys, I decided to revoke my original key pairs and create a new set of RSA keys for use with SHA256. If I had known about this flaw in the outset, or if the default key settings were different, obviously I wouldn't have had to do this, but I do agree that we should follow GnuPG on this.

I've heard on the grapevine (well, the GnuPG Users list at any rate) that there's a new version of GnuPG 1.4.3 in the pipeline. Possibly a feature request to be made.

I suppose another suggestion would be for the Enigmail website team to include a link to the wiki page that explains the different hash algorithms so that users have the information they need to choose their method of key generation.

[shane]

Adam, excellent idea about the link to information about key hashes and sizes. Could be useful for people to learn more.

I'm using GnuPG 1.4.3cvs on my machine. It's got some new features like greatly improved key cleaning, and it includes support for the PGP ZIP format that PGP (commercial application) uses. As far as I know, there are no suggested encryption changes.

I should make very clear that existing signing is NOT broken. It's just becoming possible to see a way to break it in the future. There is a known method to break it, even if the actual breaking process is too much bother to be worth it. As far as I know, PGP/MIME currently only allows signing up to 160bit? Hence SHA1 and RIPEMD160 et al.

Does anyone know more about this stuff?

[Adam]

Does anyone know more about this stuff?

Errm... I'm not pretending to know more about this, but I just sent myself a signed and encrypted test message with PGP/MIME. My default setting is SHA256 and I didn't have any problems with it - the email sent, verified and decrypted without issue.

I can't get email properties to confirm that SHA256 was definately used, but there weren't any warning messages etc.

[shane]

Well, in that case I guess it works

Hm..personally I think that we should all get our heads together, and talk about an "advised" key configuration/size for more experienced users.

There are SO many issues here. I mean, sometimes people think big is better (in terms of bitsize), but that's not true. As they point out on the GnuPG website, if you use a signing key over 1024bits you potentially introduce a weakness in the hashing. And, when it comes to encryption, we have to seriously ask when bitsize is meaningless. Is it X amount of times better to have a 2048bit key rather than a 1024bit? What about a 4096bit key instead of 2048bit?

I remember someone made a comment once that if 1024bit encryption is broken, then we need to rethink our encryption methodology rather than just increasing bitsize.

[shane]

Continuing my obsession...

An XBOX 360 can do one teraflop (1 trillion calculations per second). That's 10 to the power of 12 I believe.

Breaking SHA1 will take 2 to the power of 69 calculations.

So, we can use the following calculation to work out how long it would take an XBOX 360 to break SHA1:

2(power69) divided by 10(power12)=the amount of seconds to break SHA1.

Right?

Anyone want to calculate that?

I got 590295810 seconds (assuming the calculation is right, and rounded). That's 9838264 minutes. 163971 hours. 6832 days. Roughly 19 years.

Get 100 XBOX360s networked, and you can break SHA1 in 68 days.

For reference:
XBOX360 spec: http://news.bbc.co.uk/1/hi/technology/4485922.stm
SHA1 cracking spec:
http://www.schneier.com/blog/archives/2 ... sis_o.html

[Adam]

Yeah. I'm pretty sure a dictionary attack on the passphrase would be far more likely to succeed.

Don't think I'll check the maths - looks good to me from here!

[shane]

Well, breaking SHA1 in 68 days is really possible. I mean, I'm not going to do it to pretend to sign Patrick's email (for instance), but when it comes to business and government...it just sounds flaky to me.

Let's pose a question: if it takes 100 XBOX360s only 68 days to break SHA1, how long does it take the NSA to spoof an email?

Hm. Not good.

[Lusfert]

Breaking SHA1 will take 2 to the power of 69 calculations.

You're a little wrong. Breaking SHA-1 will take 2^63 calculations...
http://www.schneier.com/blog/archives/2 ... nalyt.html

Thus we will need 2^63/10^12 ≈ 9223372 seconds ≈ 2562 hours ≈ 107 days.

100 XBOX360s will do these calculations in ~1 day.

[shane]

Bummer.

[Lusfert]

Hm. One teraflop of XBOX 360 is a strong power.

In this case CAST5, Blowfish (as implemented in OpenPGP), AES-128, IDEA, and all other 128-bit ciphers are easily breakable...
Using birthday attack it's only needed to pass 2^(128/2) operations. To do these 2^64 operations we need time for 2^63 operations twice (2^64/2^63 = 2):

2^64/10^12 = (2^63)*2/10^12 ≈ 9223372*2 seconds ≈ 2562*2 hours ≈ 107*2 days = 214 days.

With 100 XBOX360s it's only ~2 days. 2 days to crack 128-bit symmetric cipher!

I'm pretty sure that something is wrong... I'm not an expert, please don't read this as serious text. Just a thought.

[shane]

I agree. Either our figures are wrong, or a lot of cyphers are not secure. We really need to get a math chap onto this. Let's try and find one...