New vs Old (was Snake Oil)

Tue Jun 3 14:27:16 EDT 2003

Much of this is in the PGP FAQ http://www.scramdisk.clara.net/pgpfaq.html

At 01:58 PM 06/03/2003 +0100, Jill.Ramonsky at Aculab.com wrote:
>I remember a time when PGP was a command line application.
>The only algorithms it used were IDEA (symmetric),
>RSA (assymetric) and MD5 (hash). I came to trust these algorithms.

Unfortunately, consistent support for the command-line options
suffered for a while, though it was pretty obvious that
Phil wasn't a Unix developer and it wasn't easy to make
PGP support other programs in general.

>Now these once-'standard' algorithms are no longer encouraged.
>The new versions of PGP seem to prefer CAST instead of IDEA,
>DH/DSS instead of RSA, and SHA-1 instead of MD5.
>
>So, could someone please tell me:
>
>(1) What is the justification for using these "new" algorithms instead of
>the old ones? (A cynic might suggest that, since the "powers that be"
>couldn't break the old algorithms, they encouraged the use of new ones that
>they could. This probably isn't true, but I'm sure you can understand why
>someone might think that).

There were three basic problems
- The IDEA and RSA algorithms were patented, and it's one thing to
ignore or violate patents for an in-your-face human rights campaign,
but another thing entirely for a product you're trying to commercialize
or for an open-source reimplementation you're trying to GPL (the GPG.)
In the case of IDEA, they had friendly non-commercial-use permissions,
but that didn't help PGP Inc.  The RSAREF licenses, which were pretty much
done to let RSA keep some practical control over the algorithm,
also helped a bit, and of course the patent has now expired.

- MD5 appears to be somewhat broken, based on Hans Dobbertin's work.
While that doesn't necessarily affect the way it's used in PGP,
it's pretty shaky, and SHA-1 is an adequate replacement.
The 2.x data formats didn't let you replace MD5, so you have to
use newer versions of PGP formats to do it.

- The 2.x generation of PGP data formats was broken and exploitable,
because it was careless about which fields were covered by
signatures and because the ugly bit-twiddly data formats
were too busy saving a bit here or there to provide good boundaries
between fields, so it's possible to do things like forge key signatures.
Because of that, you need to switch to newer data formats anyway,
which means switching to newer versions of PGP, which preferred
the other algorithms for patent reasons (though they were extensible.)

>(2) What actually _IS_ DH/DSS?

It's basically El Gamal, using the DSS for signatures.
Details in the FAQ are at
http://www.scramdisk.clara.net/pgpfaq.html#SubDH
http://www.scramdisk.clara.net/pgpfaq.html#Note1
http://www.scramdisk.clara.net/pgpfaq.html#Note3

>(3) Ditto CAST and SHA-1.

CAST is discussed in RFC2144 and other places.

SHA-1 was extensively discussed, because the NSA released SHA and then
oopsed and followed it with SHA-1.  There's been some analysis that
hints at possible attacks on SHA, or at least suggests that the
changes that made it SHA-1 do look like they make it stronger.
A big difference between MD5 and SHA-1 is that SHA-1 hashes are 160 bits,
which are of course the wrong size for data structures built for 128 bits,
and are more resistant to birthday attacks (where applicable,
which they don't seem to be in PGP), and are almost but not quite
long enough for 3DES keying, so some programs probably sleaze that a bit.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com