On Thu 2013-10-24 15:05:45 -0400, Sylvain wrote:
I saw a lot of activity in the Debian project about upgrading to a
4096 RSA key,
e.g. http://lists.debian.org/debian-devel-announce/2010/09/msg3.html
However GnuPG's default is 2048.
ENISA (the European Union Agency for Network and
Am Do 31.10.2013, 16:31:02 schrieb Daniel Kahn Gillmor:
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverable
s/algorithms-key-sizes-and-parameters-report
There is one point I don't understand:
[3.6 Recommendations]
there is general agreement this should be above the
On Thu, Oct 31, 2013 at 10:02 PM, Hauke Laging
mailinglis...@hauke-laging.de wrote:
Am Do 31.10.2013, 16:31:02 schrieb Daniel Kahn Gillmor:
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverable
s/algorithms-key-sizes-and-parameters-report
There is one point I don't
But this http://eprint.iacr.org/2009/317 (mentioned by the German Wikipedia
article for AES) claims that AES-256 was down to 99.5 bits.
If memory serves that's a related-key attack.
(Hmm. When you've gotten to the point where you can recognize
academic papers by their URLs, maybe that's a
On 31/10/13 22:02, Hauke Laging wrote:
But this http://eprint.iacr.org/2009/317 (mentioned by the German Wikipedia
article for AES) claims that AES-256 was down to 99.5 bits.
I just glanced over the abstract, but didn't you glance over the term related
key? I.e., not generally applicable.
On 10/31/2013 4:31 PM, Daniel Kahn Gillmor wrote:
ENISA (the European Union Agency for Network and Information Security)
recently issued a report recommending that non-legacy systems using RSA
start with keys that are = 3072 bits (see page 30 of the PDF):
Huh -- fascinating! Thank you for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 27.10.2013 19:47, schrieb Peter Lebbing:
On 27/10/13 19:09, Filip M. Nowak wrote:
1) Specialized microcontrollers with crypto capabilities are
available and used for years now (AVR XMEGA which is 8 bit for
example)
AVR XMEGA has DES and AES,
On Sun, 27 Oct 2013 21:28, gn...@oneiroi.net said:
I don't think 1 second threshold is real no-go here. I would say you
have quite high requirements. Also some MUAs can contribute to such
Start working with encrypted mails and slow smartcards on a regular base
and you would soon see what I
On 27.10.2013 2:09, Robert J. Hansen wrote:
The name of the game is economics. How much is the secret worth? If
it's worth $50,000 of computer equipment and cryptanalysis, then it's
also worth a $50,000 bribe, a $50,000 payment to a professional thief to
break in and plant keyloggers,
Often there is also value in breaking crypto so that the targeted
crypto users don't know it has been broken and thus continue to use
it (the algorithm and/or the specific key). If a big government
organization (take your pick) had broken algorithm/keysize xyz, would
they tell anybody?
Hard
On Sun, 27 Oct 2013 00:29, r...@sixdemonbag.org said:
Hi! I'm the quasi-official FAQ maintainer. You can read the current
text of the FAQ at:
While we are at it. What about making it the official one, i.e. change
the licenses to CC-by-ca/GPL? Given the importance of a FAQ I think we
should
Hi,
On Sat, Oct 26, 2013 at 06:29:26PM -0400, Robert J. Hansen wrote:
On 10/26/2013 3:40 PM, Sylvain wrote:
Thanks for your answer. To foster spending less time on these
discussions, how about this? :)
Hi! I'm the quasi-official FAQ maintainer. You can read the current
text of the FAQ
On 26-10-2013 14:13, Werner Koch wrote:
4k primary RSA keys increase the size of the signatures and thus make
the keyrings longer and, worse, computing the web of trust takes much
longer.
Yes, which leads to another question: why has the default switched from
ElGamal/DSA to RSA after the RSA
On 27/10/13 12:15, Johan Wevers wrote:
The only one I can think of is less dependence of a correctly functioning
RNG.
I think this is a very important one, as we've seen with the debacle with
OpenSSL in Debian where DSA keys were compromised even when just used to create
a signature[1].
But I
On 2013-10-27 12:30, Peter Lebbing wrote:
I think this is a very important one
Hmmm you press Send and you think: I might have overstated that.
Where's unsend? I think it's a real advantage of RSA. I don't think it's
a very important one, because other broken parts can compromise stuff
just
On 27-10-2013 12:30, Peter Lebbing wrote:
But I can think of another one: much more hardware support. Both smartcards
and
crypto-accelerators either in a general purpose CPU or as a module in a
computer.
I had not thought of the crypto cards, but the only crypto hardware
acceleration in
On Sun, 27 Oct 2013 12:15, joh...@vulcan.xs4all.nl said:
ElGamal/DSA to RSA after the RSA patent expired? Does RSA have any
advantages over ElGamal/DSA? The only one I can think of is less
It is in general faster and there are OpenPGP implementations which only
support RSA (despite that the
Yes, which leads to another question: why has the default switched from
ElGamal/DSA to RSA after the RSA patent expired?
Okay, first of all, I'm doing something wrong here, I should group my responses
and think a little longer about it. This is mail, not chat. My apologies.
I think RSA has
On 27/10/13 13:11, Peter Lebbing wrote:
A signature by a 2048-bit DSA key is twice as large as a signature by a
2048-bit
RSA key, but offers the same order of strength.
Oops. I just read Werners message, and I had it reversed :). Taking a look at
RFC 4880, I see that a 2048-bit key has a
On 27-10-2013 13:11, Peter Lebbing wrote:
I think RSA has seen more cryptanalysis than DSA and ElGamal, which is in
favour
of RSA.
Well, both are not broken after substantial research. Further, a break
of ElGamal would also break RSA but not the other way around.
The rest of the arguments
On 27/10/13 13:21, Johan Wevers wrote:
Which makes me think, is it possible to generate a 2048 bit RSA signing
key combined with a 3072 or 4096 bit encryption key?
Yes, although I don't think it makes sense to create an X-bit primary key with a
Y-bit subkey if X is smaller than Y as the
On 27/10/13 12:53, Johan Wevers wrote:
But the few encrypted messages people get via email can easily be handled by
a much slower CPU than I have now. My reading speed is the limiting factor
there, not the computers decrypting speed.
I was thinking of automated systems doing verifications,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 27 October 2013 at 6:42:31 AM, in
mid:526cb5d7.1000...@sixdemonbag.org, Robert J. Hansen wrote:
The NSA never went public with the precise
vulnerability in SHA that caused them to develop and
release SHA-1, but they were quite
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 26 October 2013 at 4:16:32 PM, in
mid:3010964.cdgcmzl...@inno.berlin.laging.de, Hauke Laging wrote:
Why should anyone 25+ years from now spend a huge
amount of resources in order to read a tiny part of
today's everyday
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 26 October 2013 at 12:39:58 AM, in
mid:910f3581-eba2-49b1-89b4-655718ad3...@email.android.com, Paul R.
Ramer wrote:
Well, this assumes that you need 25 years of security.
If your messages *must* remain uncrackable for that
Hi,
On 10/26/2013 02:13 PM, Werner Koch wrote:
On Sat, 26 Oct 2013 11:35, b...@beuc.net said:
Plus, following this principle, why doesn't gnupg default to 4096 if
there isn't any reason not to? I would suppose that if gnupg defaults
4k primary RSA keys increase the size of the signatures
On 10/27/2013 01:32 PM, Peter Lebbing wrote:
(...)
But the following layout is sensible on some level:
Which more or less means exactly nothing.
3072-bit RSA primary for certification (C)
2048-bit RSA subkey for data signatures (S)
3072-bit RSA subkey for encryption (E)
(...)
On 10/27/2013 7:15 AM, Johan Wevers wrote:
Does RSA have any advantages over ElGamal/DSA?
It's simpler to implement. That's a nontrivial benefit.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On 10/27/2013 8:21 AM, Johan Wevers wrote:
Well, both are not broken after substantial research. Further, a break
of ElGamal would also break RSA but not the other way around.
If you can compute discrete logs in a finite field, then you can factor,
yes, and the reverse is not guaranteed to be
On 10/27/2013 10:04 AM, MFPA wrote:
Which raises the question in my mind: was SHA really flawed, or was it
advantageous to NSA's purposes to have people use SHA-1 instead?
It's amazing what you can discover by checking Wikipedia.
SHA was deeply flawed. The civilian cryptanalytic community
On 10/27/2013 10:41 AM, MFPA wrote:
Couldn't a cryptographically broken algorithm also raise the problem
of forged digital signatures?
Yes and no. The mistake people make when discussing digital signatures
is to treat them as a purely mathematical exercise rather than as
something that exists
On 10/27/2013 12:47 PM, Filip M. Nowak wrote:
All this comes with a price of
increased processing power requirement and most of the hardware vendors
are doing really good here (really happily).
In the embedded space it's still quite common to see 8-bit processors
used as PICs. We're just
List, Robert.
On 10/27/2013 06:36 PM, Robert J. Hansen wrote:
On 10/27/2013 12:47 PM, Filip M. Nowak wrote:
All this comes with a price of
increased processing power requirement and most of the hardware vendors
are doing really good here (really happily).
In the embedded space it's still
On 27/10/13 19:09, Filip M. Nowak wrote:
1) Specialized microcontrollers with crypto capabilities are available
and used for years now (AVR XMEGA which is 8 bit for example)
AVR XMEGA has DES and AES, no asymmetric acceleration. Also, I think the market
of XMEGA is phenomenally tiny compared to
Hi,
On 10/27/2013 07:47 PM, Peter Lebbing wrote:
On 27/10/13 19:09, Filip M. Nowak wrote:
1) Specialized microcontrollers with crypto capabilities are available
and used for years now (AVR XMEGA which is 8 bit for example)
AVR XMEGA has DES and AES, no asymmetric acceleration. Also, I think
On 27-10-2013 18:36, Robert J. Hansen wrote:
Consumer-grade hardware is a decadent Garden of Eden. However, the tiny
little processor that monitors chemical levels at your local water
treatment plant is going to be embarrassingly low-powered.
That's fine, but I doubt I'll ever email such a
On Sun, 27 Oct 2013 17:47, gn...@oneiroi.net said:
Numbers please? Or are you talking about personal/subjective impressions?
What about you running some benchmarks for us? Let's say: a 4k RSA key
signed by 90 other 4k RSA keys, 8 2k RSA keys, and one 8k RSA key. For
security reasons key
Hello,
On 10/27/2013 08:41 PM, Werner Koch wrote:
On Sun, 27 Oct 2013 17:47, gn...@oneiroi.net said:
Numbers please? Or are you talking about personal/subjective impressions?
What about you running some benchmarks for us? Let's say: a 4k RSA key
signed by 90 other 4k RSA keys, 8 2k RSA
Robert J. Hansen r...@sixdemonbag.org wrote:
Let's say that tomorrow I lose my passphrase and make a new keypair.
Then in 25 years someone approaches me with a signed OpenPGP message
dated Christmas 2013, saying I agree to pay you one million dollars at
Christmas 2038. I scream it's a forgery,
Am 27.10.2013 20:41, schrieb Werner Koch:
On Sun, 27 Oct 2013 17:47, gn...@oneiroi.net said:
Numbers please? Or are you talking about personal/subjective impressions?
What about you running some benchmarks for us? Let's say: a 4k RSA key
signed by 90 other 4k RSA keys, 8 2k RSA keys, and one
On 10/27/2013 4:21 PM, Mark Schneider wrote:
Are there formal reasons why the max length of the RSA key is limited in
gnupg[2] linux packages to 4096 Bits only?
Yes; because past 3072 bits it's time to go to something other than RSA.
Several respectable organizations (not only NIST) have done
Hi and thanks for your answers,
Would it be a good idea to update the FAQ in this regard?
http://www.gnupg.org/faq/GnuPG-FAQ.html#what-is-the-recommended-key-size
- 1024 bit for DSA signatures; even for plain Elgamal signatures.
Also,
On Fri, Oct 25, 2013 at 02:19:08AM +0200, Christoph Anton
On Sat, 26 Oct 2013 11:35, b...@beuc.net said:
Plus, following this principle, why doesn't gnupg default to 4096 if
there isn't any reason not to? I would suppose that if gnupg defaults
4k primary RSA keys increase the size of the signatures and thus make
the keyrings longer and, worse,
On 10/25/2013 5:45 PM, Johan Wevers wrote:
The authority of NIST is of course severely reduced since the
Snowden revelations and their own suspicious behaviour with the Dual
EC PRNG.
*To you* they're severely reduced. Please don't presume to make ex
cathedra statements for the rest of the
On 10/26/2013 12:16 AM, Paul R. Ramer wrote:
I am not saying that any one should use 2048 bit RSA because the DoD
uses it. It is just a data point. That being said, I am doubtful that
classified discussions are being done over email.
CAC is used for encrypted email, at least according to
Am Fr 25.10.2013, 23:45:50 schrieb Johan Wevers:
Further, if they expect it to be secure for only 25 years,
This means that every single key is secure over that time. It means that after
25 years organizations with huge resources may be able to crack a *single* key
in a lot of time (rather a
Hi Werner,
On Sat, Oct 26, 2013 at 02:13:15PM +0200, Werner Koch wrote:
Instead of discussing these numbers the time could be much better use to
audit the used software (firmware, OS, libs, apps).
Thanks for your answer. To foster spending less time on these
discussions, how about this? :)
On 10/26/2013 3:40 PM, Sylvain wrote:
Thanks for your answer. To foster spending less time on these
discussions, how about this? :)
Hi! I'm the quasi-official FAQ maintainer. You can read the current
text of the FAQ at:
https://github.com/rjhansen/gpgfaq/blob/master/gpgfaq.xml
On Sat, 2013-10-26 at 14:13 +0200, Werner Koch wrote:
Now, if
you want to protect something you need to think like the attacker - what
will an attacker do to get the plaintext (or fake a signature)? Spend
millions on breaking a few 2k keys (assuming this is at all possible
within the next
On 10/26/2013 5:44 PM, Christoph Anton Mitterer wrote:
Well with that argument you can always defeat any crypto... a real
attacker will not care whether you use 786 bit RSA keys or 16k bit
keys... he comes for you and tortures you until you happily give him
anything he wants...
The name of
On 10/26/2013 07:36 AM, Robert J. Hansen wrote:
On 10/26/2013 12:16 AM, Paul R. Ramer wrote:
I am not saying that any one should use 2048 bit RSA because the DoD
uses it. It is just a data point. That being said, I am doubtful that
classified discussions are being done over email.
CAC is
On 25.10.2013, Sylvain wrote:
Is this zealotry on the Debian front, or something to update in gnupg?
It's a matter of taste, and there are arguments both for and against.
In my case, having a 4096 bit key has no major drawbacks, so I'm using
one. If you trust gpg, you can safely trust the
On Thu, 2013-10-24 at 21:05 +0200, Sylvain wrote:
Is this zealotry on the Debian front, or something to update in gnupg?
As they write,... they don't see a specific (i.e. technical or
performance) reason not to do so.
Some people may argue that 2048 is secure enough for many many years to
come.
On Fri, Oct 25, 2013 at 2:19 AM, Christoph Anton Mitterer
christoph.anton.mitte...@lmu.de wrote:
On Thu, 2013-10-24 at 21:05 +0200, Sylvain wrote:
Is this zealotry on the Debian front, or something to update in gnupg?
As they write,... they don't see a specific (i.e. technical or
performance)
On 25-10-2013 1:46, Robert J. Hansen wrote:
Mostly zealotry. According to NIST, RSA-2048 is expected to be secure
for about the next 25 years.
The authority of NIST is of course severely reduced since the Snowden
revelations and their own suspicious behaviour with the Dual EC PRNG.
Further,
Johan Wevers joh...@vulcan.xs4all.nl wrote:
On 25-10-2013 1:46, Robert J. Hansen wrote:
Mostly zealotry. According to NIST, RSA-2048 is expected to be
secure
for about the next 25 years.
The authority of NIST is of course severely reduced since the Snowden
revelations and their own suspicious
On 10/24/2013 04:46 PM, Robert J. Hansen wrote:
Is this zealotry on the Debian front, or something to update in gnupg?
Mostly zealotry. According to NIST, RSA-2048 is expected to be secure
for about the next 25 years.
To add further to this, the U.S. military uses 2048 bit RSA keys for
Hi,
I saw a lot of activity in the Debian project about upgrading to a
4096 RSA key,
e.g. http://lists.debian.org/debian-devel-announce/2010/09/msg3.html
However GnuPG's default is 2048.
Is this zealotry on the Debian front, or something to update in gnupg?
Cheers!
Sylvain
Is this zealotry on the Debian front, or something to update in gnupg?
Mostly zealotry. According to NIST, RSA-2048 is expected to be secure
for about the next 25 years.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
On Oct 24, 2013, at 3:05 PM, Sylvain b...@beuc.net wrote:
Hi,
I saw a lot of activity in the Debian project about upgrading to a
4096 RSA key,
e.g. http://lists.debian.org/debian-devel-announce/2010/09/msg3.html
However GnuPG's default is 2048.
Is this zealotry on the Debian
Sylvain b...@beuc.net wrote:
Hi,
I saw a lot of activity in the Debian project about upgrading to a
4096 RSA key,
e.g.
http://lists.debian.org/debian-devel-announce/2010/09/msg3.html
However GnuPG's default is 2048.
Is this zealotry on the Debian front, or something to update in gnupg?
Hi,
61 matches
Mail list logo