Here are my thoughts on simplified OpenPGP. I don't think that there is one size that fits all. I think, we need at least three profiles: 1. Backwards compatibility profile. 3DES, SHA1, RSA2048 (for both encryption and signature) This is supported by most software and hardware and is reasonably secure. 2. Lightweight/mobile profile. Mobile considerations: Communication costs over GSM networks are measured in the multiples of 140 bytes (or 1120 bits), which cost about €0.10. Asymmetrically encrypted session keys are equal to the public key length for RSA and twice that for ElGamal. Digital signatures are the size of the public key for RSA, and twice the size of the hash function for DSA variants. El-Gamal sitnatures weight twice the public key length, but that is irrelevant because there is no advantage in using El-Gamal over DSA. Randomness available in mobile phones is typically very poor. The reference implementation of SSL for mobiles has recently been broken because of that. Now, DSA signatures can reveal the private key(!) if the randomness source they use is bad. Thankfully, mobile SSL uses RSA signatures, thus poor randomness only hurts confidentiality but does not reveal any private key or theaten authenticity and integrity. As you can see, some of these considerations are in conflict. My take is that we should play it out in the real world and standardize on what works best later. 3. General PC profile. Go for Pareto-complete algorithms, with over-designed symmetric parameters (because those are much cheaper): AES256, SHA512, RSA4096 (for both encryption and signature) Any news on algebraic attacks on AES? -- Daniel
Attachment:
signature.asc
Description: Digital signature