diff options
author | Dominik Schürmann <dominik@dominikschuermann.de> | 2015-08-02 23:34:00 +0200 |
---|---|---|
committer | Dominik Schürmann <dominik@dominikschuermann.de> | 2015-08-10 09:35:23 +0200 |
commit | 3d8eda6e3e3748e32e4c47a405cd8c6962e28a96 (patch) | |
tree | 9bd5ab479d0fc5b38cc3f921c39d98a0500a05e7 /OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java | |
parent | 7c40d89eeaf1d50b00a3c6a901894a1db64c0142 (diff) | |
download | open-keychain-3d8eda6e3e3748e32e4c47a405cd8c6962e28a96.tar.gz open-keychain-3d8eda6e3e3748e32e4c47a405cd8c6962e28a96.tar.bz2 open-keychain-3d8eda6e3e3748e32e4c47a405cd8c6962e28a96.zip |
Improve comments and reasons in PgpConstants, simple checks for insecure asymmetric keys
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java')
-rw-r--r-- | OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java | 174 |
1 files changed, 0 insertions, 174 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java deleted file mode 100644 index 7162a3366..000000000 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpConstants.java +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (C) 2015 Dominik Schürmann <dominik@dominikschuermann.de> - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ - -package org.sufficientlysecure.keychain.pgp; - -import org.spongycastle.bcpg.CompressionAlgorithmTags; -import org.spongycastle.bcpg.HashAlgorithmTags; -import org.spongycastle.bcpg.SymmetricKeyAlgorithmTags; - -import java.util.HashSet; - -/** - * NIST requirements for 2011-2030 (http://www.keylength.com/en/4/): - * - RSA: 2048 bit - * - ECC: 224 bit - * - Symmetric: 3TDEA - * - Digital Signature (hash A): SHA-224 - SHA-512 - * - * Many decisions are based on https://gist.github.com/coruus/68a8c65571e2b4225a69 - */ -public class PgpConstants { - -// public interface MIN_REQUIREMENT { -// int MIN_BITS; -// int BINDING_SIGNATURE_HASH_ALGO; // for User IDs, subkeys,... -// int SYMMETRIC_ALGO; -// } - // https://tools.ietf.org/html/rfc6637#section-13 - - /* - PgpDecryptVerify: Secure Algorithms Whitelist - all other algorithms will be rejected with OpenPgpDecryptionResult.RESULT_INSECURE - - No broken ciphers or ciphers with key length smaller than 128 bit are allowed! - */ - public static HashSet<Integer> sSymmetricAlgorithmsWhitelist = new HashSet<>(); - static { - sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_256); - sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_192); - sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_128); - sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.TWOFISH); // 128 bit - } - - // all other algorithms will be rejected with OpenPgpSignatureResult.RESULT_INVALID_INSECURE - public static HashSet<Integer> sHashAlgorithmsWhitelist = new HashSet<>(); - static { - sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA512); - sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA384); - /* - TODO: SHA256 and SHA224 are still allowed even though - coruus advises against it, to enable better backward compatibility - - coruus: - Implementations MUST NOT sign SHA-224 hashes. They SHOULD NOT accept signatures over SHA-224 hashes. - ((collision resistance of 112-bits)) - Implementations SHOULD NOT sign SHA-256 hashes. They MUST NOT default to signing SHA-256 hashes. - */ - sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA256); - sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA224); - } - - /* - * Most preferred is first - * These arrays are written as preferred algorithms into the keys on creation. - * Other implementations may choose to honor this selection. - */ - public static final int[] PREFERRED_SYMMETRIC_ALGORITHMS = new int[]{ - SymmetricKeyAlgorithmTags.AES_256, - SymmetricKeyAlgorithmTags.AES_192, - SymmetricKeyAlgorithmTags.AES_128, - }; - - /* - coorus: - Implementations SHOULD use SHA-512 for RSA or DSA signatures. They SHOULD NOT use SHA-384. - ((cite to affine padding attacks; unproven status of RSA-PKCSv15)) - */ - public static final int[] PREFERRED_HASH_ALGORITHMS = new int[]{ - HashAlgorithmTags.SHA512, - }; - - /* - * Prefer ZIP - * "ZLIB provides no benefit over ZIP and is more malleable" - * - (OpenPGP WG mailinglist: "[openpgp] Intent to deprecate: Insecure primitives") - * BZIP2: very slow - */ - public static final int[] PREFERRED_COMPRESSION_ALGORITHMS = new int[]{ - CompressionAlgorithmTags.ZIP, - }; - - public static final int CERTIFY_HASH_ALGO = HashAlgorithmTags.SHA512; - - - /* - Always use AES-256! Ignore the preferred encryption algos of the recipient! - - coorus: - Implementations SHOULD ignore the symmetric algorithm preferences of a recipient's public key; - in particular, implementations MUST NOT choose an algorithm forbidden by this - document because a recipient prefers it. - - NEEDCITE downgrade attacks on TLS, other protocols - */ - public static final int DEFAULT_SYMMETRIC_ALGORITHM = SymmetricKeyAlgorithmTags.AES_256; - public interface OpenKeychainSymmetricKeyAlgorithmTags extends SymmetricKeyAlgorithmTags { - int USE_DEFAULT = -1; - } - - /* - Always use SHA-512! Ignore the preferred hash algos of the recipient! - - coorus: - Implementations MUST ignore the hash algorithm preferences of a recipient when signing - a message to a recipient. The difficulty of forging a signature under a given key, - using generic attacks on hash functions, is the difficulty of the weakest hash signed by that key. - - Implementations MUST default to using SHA-512 for RSA signatures, - - and either SHA-512 or the matched instance of SHA-2 for ECDSA signatures. - TODO: Ed25519 - CITE: zooko's hash function table CITE: distinguishers on SHA-256 - */ - public static final int DEFAULT_HASH_ALGORITHM = HashAlgorithmTags.SHA512; - public interface OpenKeychainHashAlgorithmTags extends HashAlgorithmTags { - int USE_DEFAULT = -1; - } - - public static final int DEFAULT_COMPRESSION_ALGORITHM = CompressionAlgorithmTags.ZIP; - public interface OpenKeychainCompressionAlgorithmTags extends CompressionAlgorithmTags { - int USE_DEFAULT = -1; - } - - /* - * Note: s2kcount is a number between 0 and 0xff that controls the - * number of times to iterate the password hash before use. More - * iterations are useful against offline attacks, as it takes more - * time to check each password. The actual number of iterations is - * rather complex, and also depends on the hash function in use. - * Refer to Section 3.7.1.3 in rfc4880.txt. Bigger numbers give - * you more iterations. As a rough rule of thumb, when using - * SHA256 as the hashing function, 0x10 gives you about 64 - * iterations, 0x20 about 128, 0x30 about 256 and so on till 0xf0, - * or about 1 million iterations. The maximum you can go to is - * 0xff, or about 2 million iterations. - * from http://kbsriram.com/2013/01/generating-rsa-keys-with-bouncycastle.html - * - * Bouncy Castle default: 0x60 - * kbsriram proposes: 0xc0 - * OpenKeychain: 0x90 - */ - public static final int SECRET_KEY_ENCRYPTOR_S2K_COUNT = 0x90; - public static final int SECRET_KEY_ENCRYPTOR_HASH_ALGO = HashAlgorithmTags.SHA512; - public static final int SECRET_KEY_ENCRYPTOR_SYMMETRIC_ALGO = SymmetricKeyAlgorithmTags.AES_256; - public static final int SECRET_KEY_BINDING_SIGNATURE_HASH_ALGO = HashAlgorithmTags.SHA512; - // NOTE: only SHA1 is supported for key checksum calculations in OpenPGP, - // see http://tools.ietf.org/html/rfc488 0#section-5.5.3 - public static final int SECRET_KEY_SIGNATURE_CHECKSUM_HASH_ALGO = HashAlgorithmTags.SHA1; - -} |