[Pkg-gnupg-commit] [gnupg2] 02/02: Update crypto defaults for 2018 (new keys are RSA 3072, prefer AES256)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Oct 28 13:33:52 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch stretch
in repository gnupg2.
commit 1c35044571dba16990cad1c2d2585629e1cc4514
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sat Oct 28 15:25:18 2017 +0200
Update crypto defaults for 2018 (new keys are RSA 3072, prefer AES256)
NIST recommends using only 3072-bit keys (or larger) by 2020. Keys
generated in 2018 are likely to be in use for at least another two
years. We should be deploying stronger keys earlier.
We also move to the stronger AES256 by default. Users with
particularly constrained machines can always choose a weaker cipher if
they want to, but the default preference should be the strongest
cipher we have available. Peers who don't have AES256 available can
still of course use one of the other ciphers that we announce support
for.
---
debian/patches/series | 3 +
.../0079-gpgsm-default-to-3072-bit-keys.patch | 130 +++++++++++++++++++++
.../0080-gpg-default-to-3072-bit-RSA-keys.patch | 98 ++++++++++++++++
.../0081-gpg-default-to-AES-256.patch | 35 ++++++
4 files changed, 266 insertions(+)
diff --git a/debian/patches/series b/debian/patches/series
index 17770ee..5a0de89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -76,3 +76,6 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
skip-missing-signing-keys/0076-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
skel-file-removal/0077-g10-remove-skeleton-options-files.patch
avoid-spurious-warnings/0078-gpg-Avoid-spurious-warnings-about-trust-packets.patch
+update-crypto-defaults/0079-gpgsm-default-to-3072-bit-keys.patch
+update-crypto-defaults/0080-gpg-default-to-3072-bit-RSA-keys.patch
+update-crypto-defaults/0081-gpg-default-to-AES-256.patch
diff --git a/debian/patches/update-crypto-defaults/0079-gpgsm-default-to-3072-bit-keys.patch b/debian/patches/update-crypto-defaults/0079-gpgsm-default-to-3072-bit-keys.patch
new file mode 100644
index 0000000..804b2bd
--- /dev/null
+++ b/debian/patches/update-crypto-defaults/0079-gpgsm-default-to-3072-bit-keys.patch
@@ -0,0 +1,130 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:39:37 -0400
+Subject: gpgsm: default to 3072-bit keys.
+
+* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
+default to 3072 bits.
+* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
+3072 bits.
+* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
+* sm/gpgsm.c (main): print correct default_pubkey_algo.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+
+(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
+---
+ doc/gpgsm.texi | 2 +-
+ doc/howto-create-a-server-cert.texi | 14 +++++++-------
+ sm/certreqgen-ui.c | 2 +-
+ sm/certreqgen.c | 4 ++--
+ sm/gpgsm.c | 2 +-
+ 5 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
+index b92eaea..b5f23a2 100644
+--- a/doc/gpgsm.texi
++++ b/doc/gpgsm.texi
+@@ -1076,7 +1076,7 @@ key. The algorithm must be capable of signing. This is a required
+ parameter. The only supported value for @var{algo} is @samp{rsa}.
+
+ @item Key-Length: @var{nbits}
+-The requested length of a generated key in bits. Defaults to 2048.
++The requested length of a generated key in bits. Defaults to 3072.
+
+ @item Key-Grip: @var{hexstring}
+ This is optional and used to generate a CSR or certificate for an
+diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
+index 55f1a91..30e28bd 100644
+--- a/doc/howto-create-a-server-cert.texi
++++ b/doc/howto-create-a-server-cert.texi
+@@ -31,14 +31,14 @@ Let's continue:
+
+ @cartouche
+ @example
+- What keysize do you want? (2048)
+- Requested keysize is 2048 bits
++ What keysize do you want? (3072)
++ Requested keysize is 3072 bits
+ @end example
+ @end cartouche
+
+-Hitting enter chooses the default RSA key size of 2048 bits. Smaller
+-keys are too weak on the modern Internet. If you choose a larger
+-(stronger) key, your server will need to do more work.
++Hitting enter chooses the default RSA key size of 3072 bits. Keys
++smaller than 2048 bits are too weak on the modern Internet. If you
++choose a larger (stronger) key, your server will need to do more work.
+
+ @cartouche
+ @example
+@@ -124,7 +124,7 @@ request:
+ @example
+ These parameters are used:
+ Key-Type: RSA
+- Key-Length: 2048
++ Key-Length: 3072
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+- key type: 2048 bit RSA
++ key type: 3072 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
+index b50d338..b8f7912 100644
+--- a/sm/certreqgen-ui.c
++++ b/sm/certreqgen-ui.c
+@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
+ unsigned int nbits;
+ int minbits = 1024;
+ int maxbits = 4096;
+- int defbits = 2048;
++ int defbits = 3072;
+ const char *keyusage;
+ char *subject_name;
+ membuf_t mb_email, mb_dns, mb_uri, mb_result;
+diff --git a/sm/certreqgen.c b/sm/certreqgen.c
+index 9b4ffc9..9802d23 100644
+--- a/sm/certreqgen.c
++++ b/sm/certreqgen.c
+@@ -26,7 +26,7 @@
+ $ cat >foo <<EOF
+ %echo Generating a standard key
+ Key-Type: RSA
+- Key-Length: 2048
++ Key-Length: 3072
+ Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
+ Name-Email: joe at foo.bar
+ # Do a commit here, so that we can later print a "done"
+@@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
+ /* Check the keylength. NOTE: If you change this make sure that it
+ macthes the gpgconflist item in gpgsm.c */
+ if (!get_parameter (para, pKEYLENGTH, 0))
+- nbits = 2048;
++ nbits = 3072;
+ else
+ nbits = get_parameter_uint (para, pKEYLENGTH);
+ if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
+diff --git a/sm/gpgsm.c b/sm/gpgsm.c
+index 34a9b96..a58334b 100644
+--- a/sm/gpgsm.c
++++ b/sm/gpgsm.c
+@@ -1731,7 +1731,7 @@ main ( int argc, char **argv)
+ /* The next one is an info only item and should match what
+ proc_parameters actually implements. */
+ es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
+- "RSA-2048");
++ "RSA-3072");
+
+ }
+ break;
diff --git a/debian/patches/update-crypto-defaults/0080-gpg-default-to-3072-bit-RSA-keys.patch b/debian/patches/update-crypto-defaults/0080-gpg-default-to-3072-bit-RSA-keys.patch
new file mode 100644
index 0000000..26bbb36
--- /dev/null
+++ b/debian/patches/update-crypto-defaults/0080-gpg-default-to-3072-bit-RSA-keys.patch
@@ -0,0 +1,98 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:41:10 -0400
+Subject: gpg: default to 3072-bit RSA keys.
+
+* agent/command.c (hlp_genkey): update help text to suggest the use of
+3072 bits.
+* doc/wks.texi: Make example match default generation.
+* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to
+rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment,
+(gen_rsa, get_keysize_range): update default from 2048 to 3072).
+* g10/keyid.c (pubkey_string): update comment so that first example
+is the default 3072-bit RSA.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+
+(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
+---
+ agent/command.c | 2 +-
+ g10/keygen.c | 9 ++++-----
+ g10/keyid.c | 4 ++--
+ 3 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index a2d4931..a857e5d 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -875,7 +875,7 @@ static const char hlp_genkey[] =
+ "\n"
+ " C: GENKEY\n"
+ " S: INQUIRE KEYPARAM\n"
+- " C: D (genkey (rsa (nbits 2048)))\n"
++ " C: D (genkey (rsa (nbits 3072)))\n"
+ " C: END\n"
+ " S: D (public-key\n"
+ " S: D (rsa (n 326487324683264) (e 10001)))\n"
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 0180581..f14bbbe 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -46,11 +46,10 @@
+ #include "mbox-util.h"
+
+
+-/* The default algorithms. If you change them remember to change them
+- also in gpg.c:gpgconf_list. You should also check that the value
++/* The default algorithms. If you change them, you should ensure the value
+ is inside the bounds enforced by ask_keysize and gen_xxx. See also
+ get_keysize_range which encodes the allowed ranges. */
+-#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr"
++#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
+ #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
+
+ /* When generating keys using the streamlined key generation dialog,
+@@ -1620,7 +1619,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
+
+ if (nbits < 1024)
+ {
+- nbits = 2048;
++ nbits = 3072;
+ log_info (_("keysize invalid; using %u bits\n"), nbits );
+ }
+ else if (nbits > maxsize)
+@@ -2089,7 +2088,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max)
+ default:
+ *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+ *max = 4096;
+- def = 2048;
++ def = 3072;
+ break;
+ }
+
+diff --git a/g10/keyid.c b/g10/keyid.c
+index dd098fd..9507beb 100644
+--- a/g10/keyid.c
++++ b/g10/keyid.c
+@@ -73,7 +73,7 @@ pubkey_letter( int algo )
+ is copied to the supplied buffer up a length of BUFSIZE-1.
+ Examples for the output are:
+
+- "rsa2048" - RSA with 2048 bit
++ "rsa3072" - RSA with 3072 bit
+ "elg1024" - Elgamal with 1024 bit
+ "ed25519" - ECC using the curve Ed25519.
+ "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
+@@ -83,7 +83,7 @@ pubkey_letter( int algo )
+ If the option --legacy-list-mode is active, the output use the
+ legacy format:
+
+- "2048R" - RSA with 2048 bit
++ "3072R" - RSA with 3072 bit
+ "1024g" - Elgamal with 1024 bit
+ "256E" - ECDSA using a curve with 256 bit
+
diff --git a/debian/patches/update-crypto-defaults/0081-gpg-default-to-AES-256.patch b/debian/patches/update-crypto-defaults/0081-gpg-default-to-AES-256.patch
new file mode 100644
index 0000000..a9f81bf
--- /dev/null
+++ b/debian/patches/update-crypto-defaults/0081-gpg-default-to-AES-256.patch
@@ -0,0 +1,35 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:04:00 -0400
+Subject: gpg: default to AES-256.
+
+* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
+
+--
+
+It's 2017, and pretty much everyone has AES-256 available. Symmetric
+crypto is also rarely the bottleneck (asymmetric crypto is much more
+expensive). AES-256 provides some level of protection against
+large-scale decryption efforts, and longer key lengths provide a hedge
+against unforseen cryptanalysis.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
+---
+ g10/main.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index 6837e98..edee027 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -30,7 +30,9 @@
+ (i.e. uncompressed) rather than 1 (zip). However, the real world
+ issues of speed and size come into play here. */
+
+-#if GPG_USE_AES128
++#if GPG_USE_AES256
++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
++#elif GPG_USE_AES128
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
+ #elif GPG_USE_CAST5
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list