Here are my thoughts on simplified OpenPGP.
I don't think that there is one size that fits all. I think, we need at
least three profiles:
1. Backwards compatibility profile.
3DES, SHA1, RSA2048 (for both encryption and signature)
This is supported by most software and hardware and is reasonably secure.
2. Lightweight/mobile profile.
Mobile considerations:
Communication costs over GSM networks are measured in the multiples of 140
bytes (or 1120 bits), which cost about €0.10.
Asymmetrically encrypted session keys are equal to the public key length for
RSA and twice that for ElGamal.
Digital signatures are the size of the public key for RSA, and twice the
size of the hash function for DSA variants. El-Gamal sitnatures weight twice
the public key length, but that is irrelevant because there is no advantage
in using El-Gamal over DSA.
Randomness available in mobile phones is typically very poor. The reference
implementation of SSL for mobiles has recently been broken because of that.
Now, DSA signatures can reveal the private key(!) if the randomness source
they use is bad. Thankfully, mobile SSL uses RSA signatures, thus poor
randomness only hurts confidentiality but does not reveal any private key or
theaten authenticity and integrity.
As you can see, some of these considerations are in conflict. My take is
that we should play it out in the real world and standardize on what works
best later.
3. General PC profile.
Go for Pareto-complete algorithms, with over-designed symmetric
parameters (because those are much cheaper):
AES256, SHA512, RSA4096 (for both encryption and signature)
Any news on algebraic attacks on AES?
--
Daniel
signature.asc
Description: Digital signature