Debian Bug report logs - #481500
mutt: should provide options for cipher selections

Package: mutt; Maintainer for mutt is Antonio Radici <antonio@dyne.org>; Source for mutt is src:mutt.

Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>

Date: Wed, 16 Apr 2008 17:42:01 UTC

Severity: wishlist

Tags: confirmed, upstream

Forwarded to http://bugs.mutt.org/3247

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#476441; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libgnutls26: chooses AES128 over AES256 (again)
Date: Wed, 16 Apr 2008 17:41:05 +0000
[Message part 1 (text/plain, inline)]
Package: libgnutls26
Version: 2.2.2-1
Severity: important

When authenticating against a dovecot IMAP server, mutt now uses AES128, 
not AES256.  There is no reason that mutt should use a weaker cipher.  
This problem has occurred before and upstream provided the rationale 
that other parts of the cryptosystem are weaker than the 256-bit 
symmetric cipher, so there is no real gain in security.  However, that 
is no reason to deliberately cripple one part of the cryptosystem, and 
256-bit AES is only slightly slower than 128-bit AES (I know, I've 
implemented both).  This is also a regression from libgnutls13.

libgnutls26 should revert to choosing AES256 over AES128.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-rc8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-10            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.0-3           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libopencdk10           0.6.6-1           Open Crypto Development Kit (OpenC
ii  libtasn1-3             1.3-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to http://news.gmane.org/find-root.php?message_id=%3c87zlqrewqt.fsf%40mocca.josefsson.org%3e. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Thu, 15 May 2008 17:18:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#476441; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #12 received at 476441@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 476441@bugs.debian.org, control@bugs.debian.org
Subject: Re: libgnutls26: chooses AES128 over AES256 (again)
Date: Fri, 16 May 2008 10:41:20 +0200
tags 476441 upstream wontfix
thanks

Given the discussion so far at:

http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2792

I'm inclined to close this as a wontfix report.

You may want to review our documentation on key sizes:

http://www.gnu.org/software/gnutls/manual/html_node/Selecting-cryptographic-key-sizes.html

That table is based on research in:

http://citeseer.ist.psu.edu/lenstra99selecting.html

We are open for discussion if you can provide better justification why
changing to AES-256 is warranted.

Note that changing the default for all programs is different from
_allowing_ AES-256 to be used in each program.  I believe you should be
able to use AES-256 with all programs that use GnuTLS.  If a program
using GnuTLS doesn't allow you to use AES-256, please file a bug on that
program.

/Simon




Tags added: upstream, wontfix Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Fri, 16 May 2008 08:42:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#476441; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 476441@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Simon Josefsson <simon@josefsson.org>
Cc: 476441@bugs.debian.org, control@bugs.debian.org
Subject: Re: libgnutls26: chooses AES128 over AES256 (again)
Date: Fri, 16 May 2008 14:14:55 +0000
[Message part 1 (text/plain, inline)]
clone 476441 -1 -2
reassign -1 mutt
retitle -1 mutt: should provide options for cipher selections
severity -1 wishlist
retitle -2 libgnutls26: use the same names for ciphers as OpenSSL
severity -2 normal
kthxbye

On Fri, May 16, 2008 at 10:41:20AM +0200, Simon Josefsson wrote:
>Given the discussion so far at:
>
>http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2792

I think it's silly to intentionally weaken part of the cryptosystem.
The weakest part of the cryptosystem is currently the symmetric cipher.
If you used AES256, the weakest part would be the either the MAC or the
public key.  That means that the strength of the cryptosystem lies in
the public key, where it belongs.  Any performance hit from the four
extra rounds in AES256 is only really relevant on very old
architectures, like m68k, which already takes two minutes to log in over
ssh.

You said that "to match a 256 bit symmetric key size, you need a ~15kb
large RSA key or a ~500b large DSA key."  500 bits is not a large key.
I can generate keys that are much larger than that, depending on the
protocol.  1024 bits is the standard, and some applications allow much
larger keys (OpenPGP and P.1363, for example).  If I used a 8192-bit p,
then I could even make q a 512-bit prime.  8000-bit keys are not that
far off in the future for high security applications.

Also, AES256 was the default in libgnutls13, so this change is a
regression.

>I'm inclined to close this as a wontfix report.

Please don't close it.  If you don't want to implement it, you may tag
it as wontfix.

>You may want to review our documentation on key sizes:
>
>http://www.gnu.org/software/gnutls/manual/html_node/Selecting-cryptographic-key-sizes.html

I'm aware that symmetric and asymmetric keys have different sizes for
the same strength.  I've read Applied Cryptography cover to cover,
several times.

>That table is based on research in:
>
>http://citeseer.ist.psu.edu/lenstra99selecting.html

I take exception to this data.  The lower bound for 2008 is 1279 bits,
which is way, way too low.  An appropriate minimum key size for anything
that will last more than a year is 2048.  I wouldn't even dream of using
anything symmetric with less than 128 bits these days, unless it was
3DES-EDE3 (which is equivalent to 112 bits).

>We are open for discussion if you can provide better justification why
>changing to AES-256 is warranted.
>
>Note that changing the default for all programs is different from
>_allowing_ AES-256 to be used in each program.  I believe you should be
>able to use AES-256 with all programs that use GnuTLS.  If a program
>using GnuTLS doesn't allow you to use AES-256, please file a bug on that
>program.

Unfortunately mutt doesn't have that knob, and even if it did, it would
be hard to use, since GnuTLS doesn't have the same names for ciphers and
doesn't have the same categories either.  I think this solution is only
acceptable if the names are the same, because otherwise, the config
files break, depending on how the programs are compiled.

Note that this happens with OpenLDAP, too.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Bug 476441 cloned as bugs 481500, 481501. Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Fri, 16 May 2008 14:21:06 GMT) Full text and rfc822 format available.

Bug reassigned from package `libgnutls26' to `mutt'. Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Fri, 16 May 2008 14:21:09 GMT) Full text and rfc822 format available.

Changed Bug title to `mutt: should provide options for cipher selections' from `libgnutls26: chooses AES128 over AES256 (again)'. Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Fri, 16 May 2008 14:21:10 GMT) Full text and rfc822 format available.

Severity set to `wishlist' from `important' Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Fri, 16 May 2008 14:21:11 GMT) Full text and rfc822 format available.

Tags removed: wontfix Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Sun, 25 May 2008 15:15:03 GMT) Full text and rfc822 format available.

Removed annotation that Bug had been forwarded to http://news.gmane.org/find-root.php?message_id=%3c87zlqrewqt.fsf%40mocca.josefsson.org%3e. Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Sun, 25 May 2008 15:15:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#481500; Package mutt. (Fri, 12 Jun 2009 23:27:06 GMT) Full text and rfc822 format available.

Message #34 received at 481500@bugs.debian.org (full text, mbox):

From: Mutt <fleas@mutt.org>
To: antonio@dyne.org
Cc: mutt-dev@mutt.org, 481500@bugs.debian.org
Subject: [Mutt] #3247: mutt: should provide options for cipher selections
Date: Fri, 12 Jun 2009 23:26:48 -0000
#3247: mutt: should provide options for cipher selections
------------------------------+---------------------------------------------
 Reporter:  antonio@dyne.org  |       Owner:  mutt-dev
     Type:  enhancement       |      Status:  new     
 Priority:  minor             |   Milestone:          
Component:  crypto            |     Version:          
 Keywords:                    |  
------------------------------+---------------------------------------------
 Forwarding from http://bugs.debian.org/481500

 {{{
 When authenticating against a dovecot IMAP server, mutt now uses AES128,
 not AES256.  There is no reason that mutt should use a weaker cipher.
 This problem has occurred before and upstream provided the rationale
 that other parts of the cryptosystem are weaker than the 256-bit
 symmetric cipher, so there is no real gain in security.  However, that
 is no reason to deliberately cripple one part of the cryptosystem, and
 256-bit AES is only slightly slower than 128-bit AES (I know, I've
 implemented both).
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3247>
Mutt <http://www.mutt.org/>
The Mutt mail user agent





Tags added: confirmed, upstream Request was from Antonio Radici <antonio@dyne.org> to control@bugs.debian.org. (Fri, 12 Jun 2009 23:30:02 GMT) Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://bugs.mutt.org/3247. Request was from Antonio Radici <antonio@dyne.org> to control@bugs.debian.org. (Fri, 12 Jun 2009 23:30:02 GMT) Full text and rfc822 format available.

Changed Bug submitter to '"brian m. carlson" <sandals@crustytoothpaste.net>' from '"brian m. carlson" <sandals@crustytoothpaste.ath.cx>' Request was from "brian m. carlson" <sandals@crustytoothpaste.net> to control@bugs.debian.org. (Thu, 03 Feb 2011 20:51:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:37:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.