On Sat 2022-04-30 11:53:43 +0200, Davide Prina wrote:

So if I have, for example, old e-mails encrypted with this old and no more supported ciphers I will not be able anymore to read the content if I
don't install manually an old and unmaintained package (if I will be able
to do that... dependencies also can be unavailable or uninstallable)...
is that correct?

dealing with legacy archived encrypted data is definitely a potential
problem. I see two ways of doing this:

- Decrypt the data in one shot, using legacy tools, and store it in
cleartext form for future access.

- Decrypt the legacy PKESKs to retrieve the session keys, and store
them separately alongside your modern secret key material. Modern
implementations can use the session keys to decrypt the symmetric
data without bothering with the legacy PKESKs.

Naturally this is a general problem not Debian specific.

Yep, agreed.

-dkg

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYm18xgAKCRA+nXFzcd5W XM+7AP9odnGIXvVehxLRBShb4jr4tTwgEGpdNu10IygFATg75QD9GLy4m9M6LQka 0WUHlJRD9msNHKemOvWq9UVNkM4s4g8=
=zHu4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Russ wrote:

gpg: Total number processed: 101
gpg: skipped PGP-2 keys: 84
gpg: unchanged: 17

Thanks for this review, Russ! Can you give a more detailed breakdown of
these keys? for example, at least algorithm choice and size? (iiuc,
all PGP-2 keys are RSA keys, but i don't think their sizes are
constrained).

On Fri 2022-04-29 18:04:18 -0700, Russ Allbery wrote:

Paul Wise <pabs@debian.org> writes:

and nothing other than GnuPG 1 supports these keys?

I'm personally not aware of anything other than the even more obsolete commercial PGP implementations, but maybe the package maintainers know
more.

I'm not aware of anything other than GnuPG 1 and the older, obsolete PGP implementations, but i haven't tested everything.

I think it's worth remembering that each key can be used for a range of different operations, and they have different deprecation patterns.
Using RFC 2119-style syntax, i think we have roughly the following requirements:

- Encryption: this is dangerous to do with a small key because it means
the encrypted session key is weakly protected.

Implementations MUST NOT encrypt to old, weak keys.

- Decryption: it's not insecure to decrypt data encrypted to these keys,
but it *is* insecure to indicate to the user that the data was
effectively protected. I like to think about this as the "base64
decode" problem" -- there's nothing wrong with running "base64 -d" but
there is a problem with presenting the decoded data as confidential.
See also the various E-Fail attacks related to decryption of
poorly-encrypted data.

Implementations MAY decrypt data with these keys provided that they
do not indicate strong confidentiality.

- Verification: a signature from an old, weak key does not offer a
strong guarantee of authenticity or integrity, because it may be
possible for an attacker to forge data.

Implementations MUST NOT treat any signature from an old, weak key as
valid.

- Signing: Signing data with an old, weak key that uses weak algorithms
may actually increase the risk of dangerous signature validations by
legacy implementations that are not following the guidance above for
not verifying signatures. For example, PGP-2 keys sign data with MD5.
In the event that the keyholder is making signatures over
attacker-supplied data, the attacker could create an MD5 collision,
get the victim to sign one variant, and then replay the signature on
the other variant. There may be other attacks that increase the risk
for a key with each signature made; if any attack risks leakage of
even a small amount of information about the secret key, then small,
weak keys are even more vulnerable than modern, stronger keys. Making
a signature with a key that modern implementations will refuse to
verify is also kind of pointless.

Implementations MUST NOT make signatures using known-weak digest
algorithms. Implementations SHOULD NOT make signatures with old, weak
keys.

I don't know enough about how Usenet uses these keys, but I think
they're only relevant for continued use if they involve decryption.

If someone wants to make and distribute a dedicated tool for decryption
with old keys (a "base64 -d" equivalent 😛), i wouldn't object to that.
But I don't think that implementation should be called GnuPG.

--dkg

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYm17zQAKCRA+nXFzcd5W XF+nAPoDFVczEKyueUPA/d+rfY0Yhh++E58cuwdYiCVuqLsGZgD9Em12kntsYvRa 3RojGtNt7rmNzi1gQl2B/esHkwTR1gY=K6v4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

Thanks for this review, Russ! Can you give a more detailed breakdown of these keys? for example, at least algorithm choice and size? (iiuc,
all PGP-2 keys are RSA keys, but i don't think their sizes are
constrained).

This is for all keys, just just for the obsolete keys. I suspect the last
two lines are all modern keys.

2 pub 512R
1 pub 768R
7 pub 1024D
67 pub 1024R
1 pub 1535R
1 pub 2047R
18 pub 2048R
3 pub 4096R

I'm happy to provide more detailed information but I don't know the flags
to gpg1 very well, so I'm not sure what would produce useful information.

Most of these are not in active use, and I don't object to using this as a driving force to do a bunch of spring cleaning and tell hierarchy administrators they need to generate new keys if they want their control messages to still be honored.

I don't know enough about how Usenet uses these keys, but I think
they're only relevant for continued use if they involve decryption.

They are exclusively used to sign and verify control messages using the pgpverify protocol [1]. Some of these old PGP-2 keys are still in active
use to sign newly-issued control messages because getting sites to update
the keys is hard, and Usenet is very low on resources. Usenet keys are basically never used for encryption or decryption.

Part of the problem with convincing people to upgrade is that this isn't a
very high-security problem and it's not horribly difficult to correct for
any attacks. It's very unlikely that anyone would spend thousands of
dollars to forge a Usenet control message. I'm dubious that anyone would
even spend $100. (Those 512-bit RSA keys may be even cheaper to
compromise than that at this point, though. I haven't kept up with the
state of the art.)

Still, we should modernize. (I issued a new Big Eight key and am
dual-issuing control messages now with both the old and new key, and plan
to continue dual-issuing control messages until the software to issue signatures with the old key is no longer supported.)

[1] https://www.eyrie.org/~eagle/usefor/other/pgpverify
I kept meaning to write an RFC but never got around to it.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 30 Apr 2022 07:49, Paul Wise said:

Are there any things that can be done with GnuPG 1.4 that cannot be
done with GnuPG 2 or one of the other OpenPGP implementations?

Yes, decrypting legacy data created between 1992 to ~2003. That is
because support for PGP 2 has been dropped from 2.x by public demand.


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSHd0YfKgdOvEgNNZQZzByeCFsQegUCYm6HEgAKCRAZzByeCFsQ euiqAP40gOevEjypQ/p/85VIVQC49s9+U83FrLeBcfFC52XeugD/QDw2z9eLlD72 oTfARsnIaZUuD/r+c0xCYOteR50VXwY=
=PWxa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)