On Mon, Mar 7, 2011 at 4:03 PM, Charly Avital <[email protected]> wrote: > GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe' > for *any* key with a length equal or inferior to 1024 bits. > > GPG Keychain Access 0.8.4 is a GUI for key management for Mac users. > <http://www.gpgtools.org/keychain.html> > > A Google search with key sentence "This key maybe unsafe" between > inverted commas, to limit the search to the whole sentence, displays > hits that relate directly or indirectly (Twitter) only to GPGTools' lists. Search for Security Levels and then take a look at NIST SP 800-57 (Table 2, Comparable Strengths), SP 800-131, or ECRYPT2's "Yearly Report on Algorithms and Keysizes"
> Are keys whose length is equal or inferior to 1024 bits *unsafe*? It depends on whom you ask. NIST say yes under most situations, others say no. Lenstra, et al feel 1024 RSA/P-160 ECC will hold until 2020 with an acceptable amount of risk. See "On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography" > If so, how are they unsafe? The bad guy can recover your secrets because the "work" to break the key is too easy. > Where is this key length unsafe situation documented? See above. > As a personal example, my primary key A57A8EFA is a DSA "old" 1024 bit > key, but its encryption subkey is 2048 bit long, and I use a sign-only > 2048 bit long RSA subkey. I also get that red warning with GPG Keychain > Access 0.8.4 A 1024 bit key has a security level of about 80 bits. The 2048 bit key holds about 112 bits of security. The bad guy has two choices: break the 1024 signing key (80 bits of security), or allow you to send an ephemeral key comparable to a 2048 bit modulu (112 bits of security) and break the 2048 ephemeral key. He either attacks the 1024 bit key, or the 2048 bit key. He choice is simple: break your signing key (1024 bits), then step in the middle and sign an ephemeral key of his choosing (pretending to be you). As a side note, most SSL certificates I have looked at mismatch security levels also. GeoTrust just issued me two certificates signed with SHA-1. Yet my keys were RSA 2048/SHA-224. The bad guy should attack GeoTrust's weaker signature rather than my authentication keys :( Jeff _______________________________________________ gpgtools-users mailing list [email protected] FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 This email sent to: [email protected]
