[openpgp] Intent to deprecate: Insecure primitives
David Leon Gil <coruus@gmail.com> Sat, 14 March 2015 01:22 UTC
Return-Path: <coruus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E19041A88A3 for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 18:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqPRtZ9_k9NH for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 18:22:55 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 480E21A887B for <openpgp@ietf.org>; Fri, 13 Mar 2015 18:22:55 -0700 (PDT)
Received: by ykcn8 with SMTP id n8so449878ykc.3 for <openpgp@ietf.org>; Fri, 13 Mar 2015 18:22:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=ycxh0SsClOX8dsHMbH4C7VB/7N4N4c7ELuIVRjmtKe0=; b=MZKCTj5ZpBc0QL4z/zKZa4tWyOTmGJhWtEmAn73+Atd/cEugQnJZC+38VwKDjtrZQ4 GROM2PXvmXfn/1735C0FfxQj78jI7ETY+r1yr5j+GLcBKdn3Igf7ql4ZlxPXdQ3aBxNd LaGIy93sDRJPg8FUzddLQ4KCbg9KrvKeppeLk0vggNml2XAlfoQ6FVktfsoU+iQr5lXM SY8FxvXupz+SqZZyp7JDrM3myeds3Y3+XAoshOmVyoQ7O68AVlG0liukcNcwLNdJcnyY rkhesFjbCpAgd/h65oaohS9MAyr9sc0BgJ/jZCkVfL6x5VTsEYnxIAhudHlXnBCCTuJQ eIjQ==
X-Received: by 10.236.209.35 with SMTP id r23mr49307849yho.26.1426296174638; Fri, 13 Mar 2015 18:22:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.170.125.80 with HTTP; Fri, 13 Mar 2015 18:22:34 -0700 (PDT)
From: David Leon Gil <coruus@gmail.com>
Date: Fri, 13 Mar 2015 18:22:34 -0700
Message-ID: <CAA7UWsWBoXpZ2q=Lv151R593v3u=SPNif39ySX_-8=fqMniiVg@mail.gmail.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>, "dgil@yahoo-inc.com" <dgil@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/n3VOR_lmMMy2B9hoR5DJkDjcXeg>
Subject: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2015 01:22:58 -0000
First, the fait accompli: 1. Yahoo and Google have both already deprecated and removed support for the following packet type specified for use with OpenPGPv4: Tag 9 (symmetrically encrypted) packets These packets provide unauthenticated encryption and -- if supported -- can be used in a downgrade attack on senders who only use SEIPD packets. See https://github.com/coruus/cooperpair/tree/master/encrux for details. 2. Yahoo and GnuPG have both already deprecated V3 public keys for any use. We recommend that other implementations do the same. -- Second, the near future: Yahoo has deprecated, and intends to disable support for all uses, of the following primitives and packet types specified for use with OpenPGP v4: - Symmetric cipher algorithms: IDEA, TDES, CAST5, Blowfish, Twofish - Asymmetric algorithms, generally: RSA-ES, DSA. - Asymmetric algorithms, unless > 3070 bit key length: RSA-S, RSA-E, ELG-E. - Compression algorithms: ZLIB. (It provides no benefits over DEFLATE, and is more malleable.) - Hash algorithms: MD5, SHA-1, RIPEMD160, SHA-2-224. We do not, at present, support any of the CAMELLIA algorithms or BZIP2. It is unlikely that we will do so in future. At present, we anticipate removing support for these primitives no later than May 1, 2015. -- Third, other things that will be deprecated soonish: 1. Inconsistent combinations of primitives. In particular, it is likely that we will not support RFC 6637 keys or packets unless they conform to the 128-bit or 192-bit subprofiles specified in that document. (We do not at present support P-521, but if we add support for that, we would support an analogous "256-bit" subprofile.) 2. AES-128. The efficiency of multi-target attacks leaves no safety margin for cryptanalysis. The performance difference between AES-128 and AES-256 on typical messages is negligible. -- Finally, other things that may eventually result in messages or keys being treated as invalid: 1. A published public key that is more than 1 year old. (This is mainly taken care of by requiring > 3070 bit RSA keys...) 2. Signature by a public key which has ever signed a message or key using MD-5 or SHA-1. 3. A compressed or literal data packet tag that is unusually formatted. 4. A compression method other than "Uncompressed". David Leon Gil Senior Paranoid Yahoo!
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Wyllys Ingersoll
- Re: [openpgp] Intent to deprecate: Insecure primi… Werner Koch
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Daniel Kahn Gillmor
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Farrell
- Re: [openpgp] Intent to deprecate: Insecure primi… Kristian Fiskerstrand
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Paul Weber
- Re: [openpgp] Intent to deprecate: Insecure primi… David Shaw
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… vedaal
- Re: [openpgp] Intent to deprecate: Insecure primi… Jon Callas
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Stephen Paul Weber
- Re: [openpgp] Intent to deprecate: Insecure primi… David Shaw
- [openpgp] Intent to deprecate: Insecure primitives David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Ryan Carboni
- Re: [openpgp] Intent to deprecate: Insecure primi… Jon Callas
- Re: [openpgp] Intent to deprecate: Insecure primi… Peter Gutmann
- Re: [openpgp] Intent to deprecate: Insecure primi… Werner Koch
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Daniel Kahn Gillmor
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Falcon Darkstar Momot
- Re: [openpgp] Intent to deprecate: Insecure primi… Phillip Hallam-Baker
- Re: [openpgp] Intent to deprecate: Insecure primi… Bill Frantz
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Derek Atkins
- Re: [openpgp] Intent to deprecate: Insecure primi… Andrew Skretvedt
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… Christoph Anton Mitterer
- Re: [openpgp] Intent to deprecate: Insecure primi… David Leon Gil
- Re: [openpgp] Intent to deprecate: Insecure primi… Christoph Anton Mitterer
- Re: [openpgp] Intent to deprecate: Insecure primi… ianG
- Re: [openpgp] Intent to deprecate: Insecure primi… Ben McGinnes
- Re: [openpgp] Intent to deprecate: Insecure primi… Tom Ritter
- [openpgp] Intent to deprecate: Insecure primitives David Leon Gil