1

Correct me if I'm wrong at any point of this questino.

I understand that AES is a lot cheaper to compute than RSA (or any form of asymmetric encryption) and that that is why GPG and similar programs (the OpenPGP standard?) use RSA to encrypt an AES key in the header to the AES-encrypted body of an encrypted text. This also has the awesome side benefit of being able to encrypt a text with multiple recipients (just encrypt multiple headers with multiple keys; though obviously the security of the message is only as strong as the weakest recipient).

But I have one major confusion about all of this, specifically when I read up on the virtues of 2048 v 4096 bit keys: how secure is the AES encryption of the body? How long is the key? Is it outside of the realm of possibility that the body text itself, independent of the RSA-encrypted key-headers, will be vulnerable in the near-term future? Perhaps sooner than NIST's recommended expiration date for 2048 keys?

I know of no way to specify the symmetric encryption when encrypting with GPG, and believe I have even seen an answer on this board suggesting you cannot specify the symmetric encryption algorithm of the body when asymmetrically encrypting with GPG.

mas
  • 307
  • 2
  • 9
  • `man gpg` ... *-c Encrypt with a symmetric cipher using a passphrase. The default symmetric cipher used is AES-128, but may be chosen with the --cipher-algo option.* ... RSA as an asymmetric algorithm serves a different purpose than the AES symmetric algorithm. If I distribute a public key, I am not required to distribute a password... but I can still receive encrypted messages. – RubberStamp Feb 15 '19 at 21:15
  • @RubberStamp I understand that. The point is that one can attack the RSA-encrypted header that contains the AES symmetric key that encrypted the body of the message, *or*, one can directly attack the AES encrypted body of the message. I can symmetrically encrypt a message with `-c`, but when I encrypt with someone's public key I know of no way to specify the encryption algorithm for the body of the message. Only the header, as I understand it, is RSA encrypted. – mas Feb 15 '19 at 21:28
  • Here is further explanation of the format of the gpg-encrypted ciphertext: https://security.stackexchange.com/a/8251/178337 – mas Feb 15 '19 at 21:35
  • So... you have an exploit in mind for [attacking AES-128 or 256](https://crypto.stackexchange.com/questions/61795/calculate-all-possible-keys-for-aes-128-encryption-to-exploit-hardware-encryptio) ? .... or is this a theoretical exercise? .... [related](https://security.stackexchange.com/questions/59190/why-do-you-need-a-4096-bit-dsa-key-when-aes-is-only-256-bits) – RubberStamp Feb 16 '19 at 03:44
  • @RubberStamp Definitely theoretical, and in fact your link pretty much answered my question so I'm going to try to mark my own question as a dupe. – mas Feb 16 '19 at 14:07

0 Answers0