Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One - - PowerPoint PPT Presentation

▶

Dec 25, 2023 265 likes •434 views

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1 ECC: Elliptic Curve Cryptography New algorithm for public key crypto Benefit Smaller key size for equivalent strength NOTE:

SLIDE 1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token!

Niibe Yutaka

SLIDE 2

One of New Features in GnuPG 2.1

ECC: Elliptic Curve Cryptography
New algorithm for public key crypto
Benefit
Smaller key size for equivalent strength
NOTE: It's not Post-quantum crypto
It can be broken by Shor's algorithm

SLIDE 3

ECC supported by GnuPG 2.1

"Classic" ECC
Defined by some standard organizations
"Modern" ECC
https://safecurves.cr.yp.to/

SLIDE 4

"Classic" ECC in GnuPG 2.1

NIST Curves

P-256, P-384, P-521

Brainpool

P-256, P-384, P-512

secp256k1

Satoshi's Choice

Feature
Too difficult to implement correctly
Backdoor? Who knows?

SLIDE 5

"Modern" ECC in GnuPG 2.1

GnuPG 2.1 supports:
Ed25519 for digital signature
X25519 for encryption/decryption

SLIDE 6

Let's start using Ed25519!

ksp-dc17.txt: 4 / 142
We know migration will take time
When should we... ?
Why not try something GNU today?

SLIDE 7

Need some reason?

Gnuk supports Ed25519/X25519
It's faster than RSA
0.1sec for signature
0.2sec for decryption
Much safer against SCA
OpenSSH supports Ed25519 auth

SLIDE 8

Gnuk BoF

Gnuk is the USB security token implementation
10AM on Friday at Woody

SLIDE 9

Issues

Not yet standardized
draft-ietf-openpgp-rfc4880bis-02
SKS 1.1.6 supports Ed25519/X25519 keys
subset.pool.sks-keyservers.net
Other keyservers don't support ECC keys yet
wotsap does not yet support ECC keys
alioth doesn't allow Ed25519 keys for SSH

SLIDE 10

HOWTO

preparation
key generation
addkey

SLIDE 11

HOWTO: preparation

$ mkdir tmp/new-gpg-ecc $ export GNUPGHOME=tmp/new-gpg-ecc $ chmod og-rx $GNUPGHOME $ gpg --version

SLIDE 12

HOWTO: key generation

$ gpg --expert --full-gen-key Select '9' for "ECC and ECC". Select '1' for 'Curve25519' to use Ed25519/X25519.

SLIDE 13

HOWTO: addkey

$ gpg --expert --edit-key chuji [...] gpg> addkey Select '11' for adding "Authentication" subkey for SSH. Toggle capability to "Authenticate" only: a->s->q Select '1' for 'Curve25519' to use Ed25519/X25519. Type 'save' to save new subkey.

SLIDE 14

HOWTO: send-keys

Don't forget to add

-keyserver subset.pool.sks-keyservers.net

SLIDE 15

Questions?

Q1: A1:

SLIDE 16

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token!

Niibe Yutaka

One of New Features in GnuPG 2.1

ECC supported by GnuPG 2.1

"Classic" ECC in GnuPG 2.1

P-256, P-384, P-521

P-256, P-384, P-512

Satoshi's Choice

"Modern" ECC in GnuPG 2.1

Let's start using Ed25519!

Need some reason?

Gnuk BoF

Issues

HOWTO

HOWTO: preparation

$ mkdir tmp/new-gpg-ecc $ export GNUPGHOME=tmp/new-gpg-ecc $ chmod og-rx $GNUPGHOME $ gpg --version

HOWTO: key generation

$ gpg --expert --full-gen-key Select '9' for "ECC and ECC". Select '1' for 'Curve25519' to use Ed25519/X25519.

HOWTO: addkey

$ gpg --expert --edit-key chuji [...] gpg> addkey Select '11' for adding "Authentication" subkey for SSH. Toggle capability to "Authenticate" only: a->s->q Select '1' for 'Curve25519' to use Ed25519/X25519. Type 'save' to save new subkey.

HOWTO: send-keys

Don't forget to add

Questions?

Q1: A1:

Questions?

Q1: Can I ask putting my Ed25519/X25519 key to debian-keyring? A1: