disable IDEA, simply arguments in PgpSecurityConstants

This commit is contained in:
Dominik Schürmann 2021-03-16 14:54:15 +01:00
parent d0d499fc72
commit af64735cbf

View file

@ -39,17 +39,6 @@ import org.sufficientlysecure.keychain.pgp.SecurityProblem.EncryptionAlgorithmPr
import org.sufficientlysecure.keychain.pgp.SecurityProblem.UnidentifiedKeyProblem;
/**
* NIST requirements for 2011-2030 (http://www.keylength.com/en/4/):
* - RSA: 2048 bit
* - ECC: 224 bit
* - Symmetric: 3TDEA
* - Digital Signature (hash A): SHA-224 - SHA-512
*
* Extreme Decisions for Yahoo's End-to-End:
* https://github.com/yahoo/end-to-end/issues/31
* https://gist.github.com/coruus/68a8c65571e2b4225a69
*/
public class PgpSecurityConstants {
/**
@ -58,10 +47,9 @@ public class PgpSecurityConstants {
*/
private static HashSet<Integer> sSecureSymmetricAlgorithms = new HashSet<>(Arrays.asList(
// General remarks: We try to keep the list short to reduce attack surface
// TODO: block IDEA?: Bad key schedule (weak keys), implementation difficulties (easy to make errors)
SymmetricKeyAlgorithmTags.IDEA,
SymmetricKeyAlgorithmTags.TRIPLE_DES, // a MUST in RFC
SymmetricKeyAlgorithmTags.CAST5, // default in many gpg, pgp versions, 128 bit key
// SymmetricKeyAlgorithmTags.IDEA, // Bad key schedule (weak keys), implementation difficulties (easy to make errors)
SymmetricKeyAlgorithmTags.TRIPLE_DES, // RFC4880: "MUST implement TripleDES"
SymmetricKeyAlgorithmTags.CAST5, // default in many gpg, pgp versions, 128 bit key, RFC4880: "SHOULD implement AES-128 and CAST5"
// BLOWFISH: Twofish is the successor
// SAFER: not used widely
// DES: < 128 bit security
@ -84,27 +72,19 @@ public class PgpSecurityConstants {
/**
* List of secure hash algorithms
* all other algorithms are rejected with OpenPgpSignatureResult.RESULT_INSECURE
*
* coorus:
* Implementations SHOULD use SHA-512 for RSA or DSA signatures. They SHOULD NOT use SHA-384.
* ((cite to affine padding attacks; unproven status of RSA-PKCSv15))
*
* Implementations MUST NOT sign SHA-224 hashes. They SHOULD NOT accept signatures over SHA-224 hashes.
* ((collision resistance of 112-bits))
* Implementations SHOULD NOT sign SHA-256 hashes. They MUST NOT default to signing SHA-256 hashes.
*/
private static HashSet<Integer> sSecureHashAlgorithms = new HashSet<>(Arrays.asList(
// MD5: broken
HashAlgorithmTags.SHA1, // TODO: disable when SHA256 is widely deployed
HashAlgorithmTags.SHA1, // RFC4880: "MUST implement SHA-1", TODO: disable when SHA256 is widely deployed
HashAlgorithmTags.RIPEMD160, // same security properties as SHA1, TODO: disable when SHA256 is widely deployed
// DOUBLE_SHA: not used widely
// MD2: not used widely
// TIGER_192: not used widely
// HAVAL_5_160: not used widely
HashAlgorithmTags.SHA256, // compatibility for old Mailvelope versions
HashAlgorithmTags.SHA384,
HashAlgorithmTags.SHA384, // affine padding attacks; unproven status of RSA-PKCSv15
HashAlgorithmTags.SHA512
// SHA224: Not used widely, Yahoo argues against it
// SHA224: issues with collision resistance of 112-bits, Not used widely
));
static InsecureSigningAlgorithm checkSignatureAlgorithmForSecurityProblems(int hashAlgorithm) {
@ -118,11 +98,6 @@ public class PgpSecurityConstants {
* List of secure asymmetric algorithms in switch statement
* all other algorithms are rejected with OpenPgpSignatureResult.RESULT_INSECURE or
* OpenPgpDecryptionResult.RESULT_INSECURE
*
* coorus:
* Implementations MUST NOT accept, or treat any signature as valid, by an RSA key with
* bitlength less than 1023 bits.
* Implementations MUST NOT accept any RSA keys with bitlength less than 2047 bits after January 1, 2016.
*/
private static HashSet<String> sSecureCurves = new HashSet<>(Arrays.asList(
NISTNamedCurves.getOID("P-256").getId(),
@ -147,7 +122,7 @@ public class PgpSecurityConstants {
@Nullable
public static KeySecurityProblem getKeySecurityProblem(long masterKeyId, long subKeyId, int algorithm,
Integer bitStrength, String curveOid) {
Integer bitStrength, String curveOid) {
switch (algorithm) {
case PublicKeyAlgorithmTags.RSA_GENERAL: {
if (bitStrength < 2048) {
@ -179,8 +154,7 @@ public class PgpSecurityConstants {
return null;
}
// ELGAMAL_GENERAL: deprecated in RFC 4880, use ELGAMAL_ENCRYPT
// DIFFIE_HELLMAN: unsure
// TODO specialize all cases!
// DIFFIE_HELLMAN: deprecated
default:
return new UnidentifiedKeyProblem(masterKeyId, subKeyId, algorithm);
}
@ -190,12 +164,9 @@ public class PgpSecurityConstants {
* These array is written as a list of preferred encryption algorithms into keys created by us.
* Other implementations may choose to honor this selection.
* (Most preferred is first)
*
* REASON: See corresponding list. AES received most cryptanalysis over the years
* and is still secure!
*/
public static final int[] PREFERRED_SYMMETRIC_ALGORITHMS = new int[]{
SymmetricKeyAlgorithmTags.AES_256,
SymmetricKeyAlgorithmTags.AES_256, // AES received most cryptanalysis over the years and is still secure!
SymmetricKeyAlgorithmTags.AES_192,
SymmetricKeyAlgorithmTags.AES_128,
};
@ -204,22 +175,22 @@ public class PgpSecurityConstants {
* These array is written as a list of preferred hash algorithms into keys created by us.
* Other implementations may choose to honor this selection.
* (Most preferred is first)
*
* REASON: See corresponding list. If possible use SHA-512, this is state of the art!
*/
public static final int[] PREFERRED_HASH_ALGORITHMS = new int[]{
HashAlgorithmTags.SHA512,
HashAlgorithmTags.SHA512, // If possible use SHA-512, this is state of the art!
};
/**
* These array is written as a list of preferred compression algorithms into keys created by us.
* Other implementations may choose to honor this selection.
* (Most preferred is first)
*
* <p>
* REASON: See DEFAULT_COMPRESSION_ALGORITHM
*/
public static final int[] PREFERRED_COMPRESSION_ALGORITHMS = new int[]{
CompressionAlgorithmTags.ZIP,
// ZLIB: the format provides no benefits over DEFLATE, and is more malleable
// BZIP2: very slow
};
/**
@ -229,14 +200,8 @@ public class PgpSecurityConstants {
/**
* Always use AES-256! We always ignore the preferred encryption algos of the recipient!
*
* coorus:
* Implementations SHOULD ignore the symmetric algorithm preferences of a recipient's public key;
* in particular, implementations MUST NOT choose an algorithm forbidden by this
* document because a recipient prefers it.
*
* NEEDCITE downgrade attacks on TLS, other protocols
* Always use AES-256!
* We always ignore the preferred encryption algos of the recipient!
*/
public static final int DEFAULT_SYMMETRIC_ALGORITHM = SymmetricKeyAlgorithmTags.AES_256;
@ -245,18 +210,8 @@ public class PgpSecurityConstants {
}
/**
* Always use SHA-512! We always ignore the preferred hash algos of the recipient!
*
* coorus:
* Implementations MUST ignore the hash algorithm preferences of a recipient when signing
* a message to a recipient. The difficulty of forging a signature under a given key,
* using generic attacks on hash functions, is the difficulty of the weakest hash signed by that key.
*
* Implementations MUST default to using SHA-512 for RSA signatures,
*
* and either SHA-512 or the matched instance of SHA-2 for ECDSA signatures.
* TODO: Ed25519
* CITE: zooko's hash function table CITE: distinguishers on SHA-256
* Always use SHA-512!
* We always ignore the preferred hash algos of the recipient!
*/
public static final int DEFAULT_HASH_ALGORITHM = HashAlgorithmTags.SHA512;
@ -266,16 +221,13 @@ public class PgpSecurityConstants {
/**
* Compression is disabled by default.
*
* <p>
* The default compression algorithm is only used if explicitly enabled in the activity's
* overflow menu or via the OpenPGP API's extra OpenPgpApi.EXTRA_ENABLE_COMPRESSION
*
* <p>
* REASON: Enabling compression can lead to a sidechannel. Consider a voting that is done via
* OpenPGP. Compression can lead to different ciphertext lengths based on the user's voting.
* This has happened in a voting done by Wikipedia (Google it).
*
* ZLIB: the format provides no benefits over DEFLATE, and is more malleable
* BZIP2: very slow
*/
public static final int DEFAULT_COMPRESSION_ALGORITHM = CompressionAlgorithmTags.ZIP;
@ -296,7 +248,7 @@ public class PgpSecurityConstants {
* or about 1 million iterations. The maximum you can go to is
* 0xff, or about 2 million iterations.
* from http://kbsriram.com/2013/01/generating-rsa-keys-with-bouncycastle.html
*
* <p>
* Bouncy Castle default: 0x60
* kbsriram proposes: 0xc0
* Yahoo's End-to-End: 96=0x60 (65536 iterations) (https://github.com/yahoo/end-to-end/blob/master/src/javascript/crypto/e2e/openpgp/keyring.js)