[Pkg-gnupg-commit] [gnupg2] 01/05: update to stronger cryptographic defaults.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Sep 8 03:29:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 4e9a3b268b1f7758c4b946a53488cf4f09396d0d
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Sep 7 19:20:18 2017 -0400
update to stronger cryptographic defaults.
---
debian/patches/series | 6 +
.../0014-gpgsm-default-to-3072-bit-keys.patch | 128 +++++++++++++++++++++
.../0015-gpg-default-to-3072-bit-RSA-keys.patch | 115 ++++++++++++++++++
...-to-SHA-512-for-all-signature-types-on-RS.patch | 64 +++++++++++
...SHA-512-and-SHA-384-in-default-preference.patch | 48 ++++++++
.../0018-gpg-default-to-AES-256.patch | 34 ++++++
...lt-to-protection-that-takes-300ms-up-from.patch | 48 ++++++++
7 files changed, 443 insertions(+)
diff --git a/debian/patches/series b/debian/patches/series
index c660008..30da6b9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,9 @@ gpg-agent-idling/0010-agent-Avoid-tight-timer-tick-when-possible.patch
gpg-agent-idling/0011-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
0013-scd-Fix-for-large-ECC-keys.patch
+update-defaults/0014-gpgsm-default-to-3072-bit-keys.patch
+update-defaults/0015-gpg-default-to-3072-bit-RSA-keys.patch
+update-defaults/0016-gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
+update-defaults/0017-gpg-Prefer-SHA-512-and-SHA-384-in-default-preference.patch
+update-defaults/0018-gpg-default-to-AES-256.patch
+update-defaults/0019-agent-default-to-protection-that-takes-300ms-up-from.patch
diff --git a/debian/patches/update-defaults/0014-gpgsm-default-to-3072-bit-keys.patch b/debian/patches/update-defaults/0014-gpgsm-default-to-3072-bit-keys.patch
new file mode 100644
index 0000000..d24a83c
--- /dev/null
+++ b/debian/patches/update-defaults/0014-gpgsm-default-to-3072-bit-keys.patch
@@ -0,0 +1,128 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:39:37 -0400
+Subject: gpgsm: default to 3072-bit keys.
+
+* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
+default to 3072 bits.
+* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
+3072 bits.
+* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
+* sm/gpgsm.c (main): print correct default_pubkey_algo.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ doc/gpgsm.texi | 2 +-
+ doc/howto-create-a-server-cert.texi | 14 +++++++-------
+ sm/certreqgen-ui.c | 2 +-
+ sm/certreqgen.c | 4 ++--
+ sm/gpgsm.c | 2 +-
+ 5 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
+index 5d79ce5..bdc6b87 100644
+--- a/doc/gpgsm.texi
++++ b/doc/gpgsm.texi
+@@ -1073,7 +1073,7 @@ key. The algorithm must be capable of signing. This is a required
+ parameter. The only supported value for @var{algo} is @samp{rsa}.
+
+ @item Key-Length: @var{nbits}
+-The requested length of a generated key in bits. Defaults to 2048.
++The requested length of a generated key in bits. Defaults to 3072.
+
+ @item Key-Grip: @var{hexstring}
+ This is optional and used to generate a CSR or certificate for an
+diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
+index 55f1a91..30e28bd 100644
+--- a/doc/howto-create-a-server-cert.texi
++++ b/doc/howto-create-a-server-cert.texi
+@@ -31,14 +31,14 @@ Let's continue:
+
+ @cartouche
+ @example
+- What keysize do you want? (2048)
+- Requested keysize is 2048 bits
++ What keysize do you want? (3072)
++ Requested keysize is 3072 bits
+ @end example
+ @end cartouche
+
+-Hitting enter chooses the default RSA key size of 2048 bits. Smaller
+-keys are too weak on the modern Internet. If you choose a larger
+-(stronger) key, your server will need to do more work.
++Hitting enter chooses the default RSA key size of 3072 bits. Keys
++smaller than 2048 bits are too weak on the modern Internet. If you
++choose a larger (stronger) key, your server will need to do more work.
+
+ @cartouche
+ @example
+@@ -124,7 +124,7 @@ request:
+ @example
+ These parameters are used:
+ Key-Type: RSA
+- Key-Length: 2048
++ Key-Length: 3072
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+- key type: 2048 bit RSA
++ key type: 3072 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
+index 9772a3b..4f8a1ac 100644
+--- a/sm/certreqgen-ui.c
++++ b/sm/certreqgen-ui.c
+@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
+ unsigned int nbits;
+ int minbits = 1024;
+ int maxbits = 4096;
+- int defbits = 2048;
++ int defbits = 3072;
+ const char *keyusage;
+ char *subject_name;
+ membuf_t mb_email, mb_dns, mb_uri, mb_result;
+diff --git a/sm/certreqgen.c b/sm/certreqgen.c
+index 4431870..1d610c1 100644
+--- a/sm/certreqgen.c
++++ b/sm/certreqgen.c
+@@ -26,7 +26,7 @@
+ $ cat >foo <<EOF
+ %echo Generating a standard key
+ Key-Type: RSA
+- Key-Length: 2048
++ Key-Length: 3072
+ Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
+ Name-Email: joe at foo.bar
+ # Do a commit here, so that we can later print a "done"
+@@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
+ /* Check the keylength. NOTE: If you change this make sure that it
+ macthes the gpgconflist item in gpgsm.c */
+ if (!get_parameter (para, pKEYLENGTH, 0))
+- nbits = 2048;
++ nbits = 3072;
+ else
+ nbits = get_parameter_uint (para, pKEYLENGTH);
+ if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
+diff --git a/sm/gpgsm.c b/sm/gpgsm.c
+index 10eff0a..fa37f63 100644
+--- a/sm/gpgsm.c
++++ b/sm/gpgsm.c
+@@ -1785,7 +1785,7 @@ main ( int argc, char **argv)
+ /* The next one is an info only item and should match what
+ proc_parameters actually implements. */
+ es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
+- "RSA-2048");
++ "RSA-3072");
+
+ }
+ break;
diff --git a/debian/patches/update-defaults/0015-gpg-default-to-3072-bit-RSA-keys.patch b/debian/patches/update-defaults/0015-gpg-default-to-3072-bit-RSA-keys.patch
new file mode 100644
index 0000000..1ce99d9
--- /dev/null
+++ b/debian/patches/update-defaults/0015-gpg-default-to-3072-bit-RSA-keys.patch
@@ -0,0 +1,115 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:41:10 -0400
+Subject: gpg: default to 3072-bit RSA keys.
+
+* agent/command.c (hlp_genkey): update help text to suggest the use of
+3072 bits.
+* doc/wks.texi: Make example match default generation.
+* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to
+rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment,
+(gen_rsa, get_keysize_range): update default from 2048 to 3072).
+* g10/keyid.c (pubkey_string): update comment so that first example
+is the default 3072-bit RSA.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ agent/command.c | 2 +-
+ doc/wks.texi | 4 ++--
+ g10/keygen.c | 9 ++++-----
+ g10/keyid.c | 4 ++--
+ 4 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index f2a6683..fd39c68 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -874,7 +874,7 @@ static const char hlp_genkey[] =
+ "\n"
+ " C: GENKEY\n"
+ " S: INQUIRE KEYPARAM\n"
+- " C: D (genkey (rsa (nbits 2048)))\n"
++ " C: D (genkey (rsa (nbits 3072)))\n"
+ " C: END\n"
+ " S: D (public-key\n"
+ " S: D (rsa (n 326487324683264) (e 10001)))\n"
+diff --git a/doc/wks.texi b/doc/wks.texi
+index f9b1a0c..f17497f 100644
+--- a/doc/wks.texi
++++ b/doc/wks.texi
+@@ -301,11 +301,11 @@ the submission address:
+ The output of the last command looks similar to this:
+
+ @example
+- sec rsa2048 2016-08-30 [SC]
++ sec rsa3072 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@@example.net
+ bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
+- ssb rsa2048 2016-08-30 [E]
++ ssb rsa3072 2016-08-30 [E]
+ @end example
+
+ Take the hash of the string "key-submission", which is
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 6a3d323..048a391 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -46,11 +46,10 @@
+ #include "../common/mbox-util.h"
+
+
+-/* The default algorithms. If you change them remember to change them
+- also in gpg.c:gpgconf_list. You should also check that the value
++/* The default algorithms. If you change them, you should ensure the value
+ is inside the bounds enforced by ask_keysize and gen_xxx. See also
+ get_keysize_range which encodes the allowed ranges. */
+-#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr"
++#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
+ #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
+
+ /* When generating keys using the streamlined key generation dialog,
+@@ -1623,7 +1622,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
+
+ if (nbits < 1024)
+ {
+- nbits = 2048;
++ nbits = 3072;
+ log_info (_("keysize invalid; using %u bits\n"), nbits );
+ }
+ else if (nbits > maxsize)
+@@ -2092,7 +2091,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max)
+ default:
+ *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+ *max = 4096;
+- def = 2048;
++ def = 3072;
+ break;
+ }
+
+diff --git a/g10/keyid.c b/g10/keyid.c
+index d733156..c519bc5 100644
+--- a/g10/keyid.c
++++ b/g10/keyid.c
+@@ -73,7 +73,7 @@ pubkey_letter( int algo )
+ is copied to the supplied buffer up a length of BUFSIZE-1.
+ Examples for the output are:
+
+- "rsa2048" - RSA with 2048 bit
++ "rsa3072" - RSA with 3072 bit
+ "elg1024" - Elgamal with 1024 bit
+ "ed25519" - ECC using the curve Ed25519.
+ "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
+@@ -83,7 +83,7 @@ pubkey_letter( int algo )
+ If the option --legacy-list-mode is active, the output use the
+ legacy format:
+
+- "2048R" - RSA with 2048 bit
++ "3072R" - RSA with 3072 bit
+ "1024g" - Elgamal with 1024 bit
+ "256E" - ECDSA using a curve with 256 bit
+
diff --git a/debian/patches/update-defaults/0016-gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/0016-gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
new file mode 100644
index 0000000..7f006c0
--- /dev/null
+++ b/debian/patches/update-defaults/0016-gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
@@ -0,0 +1,64 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:49:35 -0400
+Subject: gpg: Default to SHA-512 for all signature types on RSA keys.
+
+* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
+--gnupg mode (leave strict RFC and PGP modes alone).
+* configure.ac: Do not allow to disable sha512.
+* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
+
+--
+
+SHA512 is more performant on most 64-bit platforms than SHA256, and
+offers a better security margin. It is also widely implemented.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ g10/main.h | 2 +-
+ g10/misc.c | 5 +----
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f520d1c..0d1e883 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -312,7 +312,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+ GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+ # SHA256 is a MUST algorithm for GnuPG.
+ GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
++# SHA512 is a MUST algorithm for GnuPG.
+
+
+ # Allow disabling of zip support.
+diff --git a/g10/main.h b/g10/main.h
+index 87417ee..cd7f600 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -39,7 +39,7 @@
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
+ #endif
+
+-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ #ifdef HAVE_ZIP
+ # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
+diff --git a/g10/misc.c b/g10/misc.c
+index 77c8f26..928dd7f 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -742,11 +742,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
+ case DIGEST_ALGO_SHA384: return 0;
+ #endif
+
+-#ifdef GPG_USE_SHA512
+ case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+-#else
+- case DIGEST_ALGO_SHA512: return 0;
+-#endif
++
+ default: return 0;
+ }
+ }
diff --git a/debian/patches/update-defaults/0017-gpg-Prefer-SHA-512-and-SHA-384-in-default-preference.patch b/debian/patches/update-defaults/0017-gpg-Prefer-SHA-512-and-SHA-384-in-default-preference.patch
new file mode 100644
index 0000000..f37a215
--- /dev/null
+++ b/debian/patches/update-defaults/0017-gpg-Prefer-SHA-512-and-SHA-384-in-default-preference.patch
@@ -0,0 +1,48 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:58:50 -0400
+Subject: gpg: Prefer SHA-512 and SHA-384 in default-preference-list.
+
+* g10/keygen.c (keygen_set_std_prefs): State a preference for SHA-512
+and SHA-384 in the default preference list.
+
+--
+
+Most modern 64-bit architectures can do SHA-512 faster than they can
+do SHA-256. Another approach here would be to switch the default
+preferences based on the architecture of the machine. However, this
+leaks unnecessary metadata about what machine the key was generated
+on, and the key may eventually be transfered to a modern 64-bit
+platform anyway. And the cost of the digest is trivial compared to
+the rest of the crypto that is involved.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/keygen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 048a391..2f6bf56 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -383,16 +383,16 @@ keygen_set_std_prefs (const char *string,int personal)
+ strcat(dummy_string,"S2 "); /* 3DES */
+
+ /* The default hash algo order is:
+- SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
++ SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+ */
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+- strcat (dummy_string, "H8 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++ strcat (dummy_string, "H10 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+ strcat (dummy_string, "H9 ");
+
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+- strcat (dummy_string, "H10 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++ strcat (dummy_string, "H8 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA224))
+ strcat (dummy_string, "H11 ");
diff --git a/debian/patches/update-defaults/0018-gpg-default-to-AES-256.patch b/debian/patches/update-defaults/0018-gpg-default-to-AES-256.patch
new file mode 100644
index 0000000..a9f7d26
--- /dev/null
+++ b/debian/patches/update-defaults/0018-gpg-default-to-AES-256.patch
@@ -0,0 +1,34 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:04:00 -0400
+Subject: gpg: default to AES-256.
+
+* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
+
+--
+
+It's 2017, and pretty much everyone has AES-256 available. Symmetric
+crypto is also rarely the bottleneck (asymmetric crypto is much more
+expensive). AES-256 provides some level of protection against
+large-scale decryption efforts, and longer key lengths provide a hedge
+against unforseen cryptanalysis.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/main.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index cd7f600..8773c43 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -31,8 +31,8 @@
+ (i.e. uncompressed) rather than 1 (zip). However, the real world
+ issues of speed and size come into play here. */
+
+-#if GPG_USE_AES128
+-# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
++#if GPG_USE_AES256
++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
+ #elif GPG_USE_CAST5
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5
+ #else
diff --git a/debian/patches/update-defaults/0019-agent-default-to-protection-that-takes-300ms-up-from.patch b/debian/patches/update-defaults/0019-agent-default-to-protection-that-takes-300ms-up-from.patch
new file mode 100644
index 0000000..0d60ea0
--- /dev/null
+++ b/debian/patches/update-defaults/0019-agent-default-to-protection-that-takes-300ms-up-from.patch
@@ -0,0 +1,48 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:10:48 -0400
+Subject: agent: default to protection that takes 300ms (up from 100ms).
+
+* agent/protect.c (calibrate_s2k_count): Calibrate to 300ms instead of
+100ms.
+
+--
+
+It's likely that the user will keep their secret keys unlocked in the
+gpg-agent, so the costs of doing an unlock should be amortized over
+time. Additionally, attackers might have computers more powerful than
+the machine the secret key is generated on. Both of these factors
+suggest that we should probably increase the default lock/unlock costs
+for the secret key when it is placed in long-term storage.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ agent/protect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/agent/protect.c b/agent/protect.c
+index c257861..04e87a2 100644
+--- a/agent/protect.c
++++ b/agent/protect.c
+@@ -159,7 +159,7 @@ calibrate_s2k_count_one (unsigned long count)
+
+
+ /* Measure the time we need to do the hash operations and deduce an
+- S2K count which requires about 100ms of time. */
++ S2K count which requires about 300ms of time. */
+ static unsigned long
+ calibrate_s2k_count (void)
+ {
+@@ -171,11 +171,11 @@ calibrate_s2k_count (void)
+ ms = calibrate_s2k_count_one (count);
+ if (opt.verbose > 1)
+ log_info ("S2K calibration: %lu -> %lums\n", count, ms);
+- if (ms > 100)
++ if (ms > 300)
+ break;
+ }
+
+- count = (unsigned long)(((double)count / ms) * 100);
++ count = (unsigned long)(((double)count / ms) * 300);
+ count /= 1024;
+ count *= 1024;
+ if (count < 65536)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list