Re: What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?
On 30.08.2019 01:02, Brian Minton wrote: > On Thu, Apr 25, 2019 at 11:19:15AM +0200, Kristian Fiskerstrand wrote: >> On 4/25/19 9:20 AM, Bernhard Reiter wrote: >>> Wikipedia points out a strong sensitivity of the algorithm to the quality >>> of >>> random number generators and that implementations could deliberately leak >>> information in the signature [3]. This alone probably is a reason to switch >>> keys. >> This isn't really a major point given rfc6979 ( >> https://tools.ietf.org/html/rfc6979 ): Deterministic Usage of the >> Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature >> Algorithm (ECDSA) >> > Does GnuPG use deterministic DSA / ECDSA? > Yes (at least for modern versions, iirc it was introduced in libgcrypt 1.6.0, but it has been used for 6 or so years) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?
On Thu, Apr 25, 2019 at 11:19:15AM +0200, Kristian Fiskerstrand wrote: > On 4/25/19 9:20 AM, Bernhard Reiter wrote: > > Wikipedia points out a strong sensitivity of the algorithm to the quality > > of > > random number generators and that implementations could deliberately leak > > information in the signature [3]. This alone probably is a reason to switch > > keys. > > This isn't really a major point given rfc6979 ( > https://tools.ietf.org/html/rfc6979 ): Deterministic Usage of the > Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature > Algorithm (ECDSA) > Does GnuPG use deterministic DSA / ECDSA? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?
On 4/25/19 9:20 AM, Bernhard Reiter wrote: > Wikipedia points out a strong sensitivity of the algorithm to the quality of > random number generators and that implementations could deliberately leak > information in the signature [3]. This alone probably is a reason to switch > keys. This isn't really a major point given rfc6979 ( https://tools.ietf.org/html/rfc6979 ): Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?
Hello, until about 2009 GnuPG [1] had dsa1024/elg2048 as default key algorithms. There are still keys around with those algorithmus. Recommendations from the US and Europe [2] only list DSA between 1900 and 3000 bits as allowed for legacy use. So it is clear that DSA1024 should not be used anymore. How urgent is it to convince people to create new keypairs? To me this means rephrased: How strong or weak is this combination of keys for todays usage? Wikipedia points out a strong sensitivity of the algorithm to the quality of random number generators and that implementations could deliberately leak information in the signature [3]. This alone probably is a reason to switch keys. Apart from the problems an attacker could be solving the discrete log problem. A presentation from 2013 [4] assumes that advances are made towards solving this in a practical time frame. Does somebody has good pointers on the state of the art for this? Because dsa1024/elg2048 used to be a default of GnuPG, I think it would be helpful to point our users towards a well understood reasoning when and why they should move to a better key-pair. What do you think? Best Regards, Bernhard [1] https://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025079.html [2] https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.1.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf#page=66 [3] https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity [4] https://isecpartners.com/media/105564/ritter_samuel_stamos_bh_2013_cryptopocalypse.pdf -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users