Re: Using gpg and gitattributes together

[Jeff King <peff@peff.net>]

On Fri, Feb 29, 2008 at 02:59:43PM +0000, Johannes Schindelin wrote:

> When encrypting, gpg uses a random element (to make the encryption harder 
> to break, I guess).  So when I update netrc with "git add" (and nothing 
> was changed), git will have a _different_ blob.

This is probably due to two things:

  1. random salting of the passphrase when generating a key

     To turn a passphrase into a key, you usually do something like

       salt = some random data
       K = hash(salt + passphrase)

     and then include the salt in your message (since the decrypter
     needs to know it). The point is to avoid dictionary attacks against
     common passphrases (IOW, if "foobar" always becomes 0xabcdef, then
     I can just build a table lookup to make brute forcing faster).

     So you can turn this off at the price of lessened security against
     dictionary attacks.

  2. CBC mode with a random IV

     Most symmetric algorithms are block ciphers. There are many "modes"
     for encrypting a stream; a common one is CBC, which works like
     this:

       C[0] = random initial vector
       C[i] = E(K, P[i] ^ C[i-1])

     so each block depends on the block before, and the first block
     depends on some randomly selected data.

     You can switch to ECB mode, where C[i] = E(P[i]), but it can reveal
     patterns in the data (there is a nice graphical example on the
     wikipedia page:

       http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

     You can also use the same IV over and over again, but that does
     leak some information: you can tell up to which block two messages
     encrypted with the same key and IV are the same.

     In the case of your netrc, either of these is probably OK. You are
     only trying to keep secret one fixed string within the file.

I don't think gpg's command-line interface is flexible enough to change
any of these options, but I might be wrong. You can definitely use
openssl like this:

  openssl aes-256-ecb -nosalt

If you wanted to implement higher quality encryption in git, you could
just encrypt/decrypt objects going into the object database (like how we
do zlib compression), but still name them by hash. The downside, though,
is that if objects are named by their contents, there is an obvious
"guessing" attack where I can see if your repo contains an object with
particular content. There might be a way around that, but I'd have to
give it some thought.

-Peff