[Autocrypt] usability and passphrase-less keys
holger at merlinux.eu
Wed May 3 11:48:03 EDT 2017
here is my little subjective summary of usability and key length / passphrase discussions from last week which lead to maybe suprising results. First, a little quiz with which Vincent put several of us to a test of our intuitions about key length:
- how much CPU effort does it take to crack a 768-bit DSA (not even RSA) key?
- how many times harder is it to crack a 1024-bit key?
- how many times harder is it to crack a 2048-bit key compared to 1024-bit?
I leave these questions open for now if you want yourself to test your intuition and answer
and give an answer here.
Second, regarding passphrases i remember Patrick, Vincent, Thomas and me sitting together at one point ... and not only seeing per-key passphrases as un-neccessary on android which does not allow an app to read keys from openkeychain ... but also questioning whether per-key passphrases make sense for desktop/enigmail/maildevelope situations: If someone can access a home directory then chances are this desktop machine is compromised, rendering per-key passphrases likely useless. Moreover, many user-choices of passphrases are crackable for a determined attacker or the passphrase is so long that forgetting is likely. Moreover, there are movements (debian IIRC) to let the pgp keychain run in a different read-protected user account and thus landing us in a similar situation as Android.
The reason this was considered is that usability-wise passphrases are a nuisance. In several situations you have to enter a passphrase often. And not only many users but even crypto-programmers forget their passphrase, rendering their private key and thus decryption inaccessible. We had a report from one crypto-party where after generating, cross-signing and uploading keys, one newcomer confessed he had already forgot the passphrase, destroying his previous work. There are also "mental model mismatch" issues like "why do i have to enter my passphrase when sending email, shouldn't it just use the others public key to encrypt to the other side?" ...
Leaving further details aside (hope i didn't misrepresent anything) I eventually perceived us arriving at the conclusion that there is no good reason for defaulting to require passphrases when generating a key. and that "additionally protecting a single key" or so might be hidden in a config section which is not part of the default key setup. It appears much saner to suggest a "keychain lock" work flow which locks a whole keychain and not just protects a single key. And as far as data at rest is concerned, it's good practise to full-disk and/or home-directory encryption which protects a key (and many other useful data!) when a device is stolen. Note that within Autocrypt we are talking about email encryption, not other usages like package signing.
comments? Are there good reasons left to make passphrases part of a recommended workflow for autocrypt setups?
More information about the Autocrypt