ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SERPENT in OpenPGP?

2010-08-27 02:11:11
from [Ian G] [Permanent Link] 

Just all IMHO...


On 27/08/10 8:41 AM, Christoph Anton Mitterer wrote:


On Thu, 2010-08-26 at 15:00 -0700, Jon Callas wrote:

OpenPGP has Twofish, for which pretty much all the same things can be
said. If you don't like AES, you should likely be using Twofish or
Serpent. OpenPGP happens to have Twofish in it.

Yes I know...
Just don't see the reason why OpenPGP is rather conservative with it's
implemented algorithms.
Not only for ciphers, but also e.g. compression algorithms (supporting
XZ would IMHO make sense).
There is a cost to supporting more algorithms - interoperability. In practice, this cost is greater than any marginal benefit gained by introducing additional algorithms. (I claim, IMHO)
For example, we don't have much experience of algorithms being crunched. Even the old TDES is pretty strong, and while MD5 is looking shaky, it hasn't in practice resulted in much more than embarrassment and arguments. Users have not lost because of these choices.
In contrast, we have a lot of experience with users not being able to use additional algorithms, because one user has it but others do not. Most of this reduces to using the compulsory set, but some of it reduces to not using crypto at all.
(Also there is the cost of coding it up, and the weakness inherent in having switches in the code, where without the alternatives there would be no switching.)
For all these reasons, the history of "algorithm agility" has been rather fun for developers and rather a headache for users. For the users, there is an aspirin: 

http://iang.org/ssl/h1_the_one_true_cipher_suite.html

For the developers, there are other fun intoxicating things to work on ;)



Another issue, which comes just in my mind.... would it make sense

to

add support for stacked encryption?
I mean, having a literal packet encrypted with a symmetrically

encrypted

data packet say with cipher A, which in turn is encrypted with

another

symmetrically encrypted data packet say with cipher B.
Of course the session key packet would have to be large enough to
provide key material for both.


What problem are you trying to solve? People have done that before.
You could build this up in an only slightly klugy manner with existing
OpenPGP components.

No specific, problem,... I'd just like to see that OpenPGP allows for
even more higher-grade security. I mean really for a very long time
scale.
In in case one cipher is broken (ok I know that this is rather unlikely)
the other ciphers might be still safe (when multiple are used).
This is a tricky area. By trying to create a stronger cipher (and that is what you are doing, combining A + B to make cipher C) you are putting yourself above the cryptographers ... who presumably tried to make A and B quite strong already.
( I for one do that all the time -- put myself above the cryptographers. But only in my area of expertise, which is computer science, and not in their area of expertise, which is cryptography! :)
I have seen this done with AES and another algorithm XOR'd in parallel. The conjecture is that it is then stronger than either alone. E.g., if one breaks.
But this is just conjecture. Such a claim is not easily distinguishable from developers having too much fun.... 



Unfortunately, OpenPGP development seems to be quite slowed down to me.
Of course this has advantages but on the other hand I'd like to see many
things that were previously discussed here, e.g.
- PBKDF2
- phasing out SHA1
- ECC (ok this is on its way :) )
- some of the ideas presented in the threads "Series of minor questions
about OpenPG" here, especially:
   - making the standard more strict in several aspects and work against
possible ambiguities.
   - much more use of the user attribute packet (which IMO should replace
the User ID packet on a long term scale), adding _many_ possible values
that can be signed,... e.g. things like brithday (time), birthplace,
color of eyes ;) ... much more types of names (a common name which would
be about what we have right now in the user ID, family name and given
name (for western contries), other types for different cultures) ... I
could even think of stuff like address and so on.
mmmm possibly. I wrote a while ago that (IMHO) we should not try and fiddle with the current OpenPGP structures, instead we should finish the RFC ... then start a complete rewrite.
The reason for this is that OpenPGP includes the best of our understanding from a long time ago. Around PGP 5, etc.
And in the last decade we've learnt a lot more ... which we're probably missing out on if we spend another decade tuning PGP 5 :) 

iang
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SERPENT in OpenPGP?, David Shaw
Next by Date:  Re: SERPENT in OpenPGP?, Werner Koch
Previous by Thread:  Re: SERPENT in OpenPGP?, Christoph Anton Mitterer
Next by Thread:  Re: SERPENT in OpenPGP?, Christoph Anton Mitterer
Indexes:  [Date] [Thread] [Top] [All Lists]