[Autocrypt] usability and passphrase-less keys

holger krekel holger at merlinux.eu
Wed May 3 11:48:03 EDT 2017 

Hi autocrypters,

here is my little subjective summary of usability and key length / passphrase discussions from last week which lead to maybe suprising results.  First, a little quiz with which Vincent put several of us to a test of our intuitions about key length: 

- how much CPU effort does it take to crack a 768-bit DSA (not even RSA) key?

- how many times harder is it to crack a 1024-bit key? 

- how many times harder is it to crack a 2048-bit key compared to 1024-bit? 

I leave these questions open for now if you want yourself to test your intuition and answer
and give an answer here. 

Second, regarding passphrases i remember Patrick, Vincent, Thomas and me sitting together at one point ... and not only seeing per-key passphrases as un-neccessary on android which does not allow an app to read keys from openkeychain ... but also questioning whether per-key passphrases make sense for desktop/enigmail/maildevelope situations: If someone can access a home directory then chances are this desktop machine is compromised, rendering per-key passphrases likely useless.  Moreover, many user-choices of passphrases are crackable for a determined attacker or the passphrase is so long that forgetting is likely.  Moreover, there are movements (debian IIRC) to let the pgp keychain run in a different read-protected user account and thus landing us in a similar situation as Android.  

The reason this was considered is that usability-wise passphrases are a nuisance.  In several situations you have to enter a passphrase often.  And not only many users but even crypto-programmers forget their passphrase, rendering their private key and thus decryption inaccessible.  We had a report from one crypto-party where after generating, cross-signing and uploading keys, one newcomer confessed he had already forgot the passphrase, destroying his previous work.  There are also "mental model mismatch" issues like "why do i have to enter my passphrase when sending email, shouldn't it just use the others public key to encrypt to the other side?" ...

Leaving further details aside (hope i didn't misrepresent anything) I eventually perceived us arriving at the conclusion that there is no good reason for defaulting to require passphrases when generating a key. and that "additionally protecting a single key" or so might be hidden in a config section which is not part of the default key setup.  It appears much saner to suggest a "keychain lock" work flow which locks a whole keychain and not just protects a single key.  And as far as data at rest is concerned, it's good practise to full-disk and/or home-directory encryption which protects a key (and many other useful data!) when a device is stolen.  Note that within Autocrypt we are talking about email encryption, not other usages like package signing.

comments?  Are there good reasons left to make passphrases part of a recommended workflow for autocrypt setups?

best,
holger

More information about the Autocrypt mailing list