Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Wed, 05 Mar 2014, peter green wrote: Also ECDSA shares with DSA the serious disadvantage over RSA that making signatures on a system with a broken RNG can reveal the key. I believe that we should avoid ECDSA gnupg keys and subkeys like the plague for the time being. You'd most likely get ECDSA keys using the NIST p-curves out of gnupg, and these p-curves are suspected to be backdoored. AFAIK, better curves are available only on the latest development versions of gnupg 2.1, and the difficulties do not end there: the keyservers are also going to be a problem for such keys and subkeys for a while yet. IMHO, we should stick with 4096-bit RSA for the main key for the time being, and use short expire dates for the *subkeys* (2 years or less). Refer to http://safecurves.cr.yp.to/ for more details on elliptic curves for crypto. PS: NIST p-curves are also a potential problem on OpenSSH and DNSSEC. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140323025114.ga14...@khazad-dum.debian.net
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Tue, Mar 04, 2014 at 02:33:23PM -0600, Gunnar Wolf wrote: Umh, I feel I have to answer this message, but I clearly don't have enough information to do so in an authoritative way¹. AIUI, ECDSA has not been shown to be *stronger* than RSA ??? RSA works based on modulus operations, ECDSA on curve crypto. ECDSA keys can be smaller and achieve (again, AIUI) the same level of security. But nothing so far shows that RSA will be broken before or after ECDSA. Let me add two aspects concerning ECDSA and RSA: RSA relies on factorization of large numbers being hard. While it certainly is hard, it may not be hard enough. The interesting question is: How long does a signature operation take on a key strong enough to defeat the current global computing power? Unfortunately this time raises faster than our hardware becomes faster for RSA while it is a bit better for ECDSA. At some point in the very far future it will be infeasible to use RSA simply because your device will take ages to emit a signature that is strong enough. ECDSA is a DSA algorithm and therefore relies on the creation of secure random numbers. It has this problem, that if you happen to choose the same number for two signatures, your private key is broken. With RSA it is harder to accidentally disclose your private key by using bad random numbers for signatures. As far as I can tell a malicious random number generator is part of our threat model now. Bernstein addresses this issue in EdDSA. Bottom line: I think it is a bit early to jump on ECDSA. Hope this helps Helmut -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140306124821.ga2...@alf.mars
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
Helmut Grohne writes (Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)): ECDSA is a DSA algorithm and therefore relies on the creation of secure random numbers. It has this problem, that if you happen to choose the same number for two signatures, your private key is broken. With RSA it is harder to accidentally disclose your private key by using bad random numbers for signatures. As far as I can tell a malicious random number generator is part of our threat model now. Bernstein addresses this issue in EdDSA. I don't understand why everyone isn't using deterministic signatures for DSA. Instead of trying to use a fresh random number for the random input into the signature scheme, you (speaking loosely) hash the message and the private key together. Done right, this completely eliminates this potential weakness. See RFC6979 for a detailed specification. I think all DSA and ECDSA signature generation code in Debian should be altered to use a deterministic DSA variant. (Unless we have something that relies on the covert channel or randomness of signatures, which seems unlikely.) We should use the procedure in RFC6979 exactly unless there is a compelling reason to use something else. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21272.42344.464473.593...@chiark.greenend.org.uk
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Wed, Mar 05, 2014 at 08:29:37AM +0100, Ondrej Surý wrote: On Tue, Mar 4, 2014, at 21:33, Gunnar Wolf wrote: Ondrej Surý dijo [Tue, Mar 04, 2014 at 08:10:47PM +0100]: On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) Umh, I feel I have to answer this message, but I clearly don't have enough information to do so in an authoritative way¹. AIUI, ECDSA has not been shown to be *stronger* than RSA -- RSA works based on modulus operations, ECDSA on curve crypto. ECDSA keys can be smaller and achieve (again, AIUI) the same level of security. But nothing so far shows that RSA will be broken before or after ECDSA. Barring somebody pointing me to the right place to read, my take would be that we should accept both RSA and ECDSA keys Yes. I didn't suggest that we drop RSA. (of what minimum size/strength?). These might provide a guidance (even for RSA key lengths). http://www.keylength.com/en/compare/#Biblio4 http://csrc.nist.gov/groups/ST/toolkit/key_management.html and http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf NIST seems to recommend at least 2048 bits for RSA and Curve P-256 for ECDSA You might want to take a look at http://safecurves.cr.yp.to/ before using the P-curves. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140305180926.ga3...@roeckx.be
RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) 1. http://lists.gnupg.org/pipermail/gnupg-devel/2011-February/025949.html O. -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1393960247.19940.90519781.6b051...@webmail.messagingengine.com
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
Ondřej Surý dijo [Tue, Mar 04, 2014 at 08:10:47PM +0100]: On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) Umh, I feel I have to answer this message, but I clearly don't have enough information to do so in an authoritative way¹. AIUI, ECDSA has not been shown to be *stronger* than RSA — RSA works based on modulus operations, ECDSA on curve crypto. ECDSA keys can be smaller and achieve (again, AIUI) the same level of security. But nothing so far shows that RSA will be broken before or after ECDSA. Barring somebody pointing me to the right place to read, my take would be that we should accept both RSA and ECDSA keys (of what minimum size/strength?). It should not be in any way different than what we currently do. But anybody looking at a mistake in my text, *please* correct me! -- ¹ Outside, that is, from the authority vested by delegating me part of keyring-maint ;-) signature.asc Description: Digital signature
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Tue, Mar 04, 2014 at 08:10:47PM +0100, Ondrej Surý wrote: On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) Do you have any idea which curves and/or signature algorithms are supported? I think I would like to see EdDSA in that case. I would also like to see that they get started on PGP v5. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140304225640.ga11...@roeckx.be
RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) IMO we need to phase out 1024 bit RSA/DSA keys as soon as reasonablly practical. Even if gnupg 2.1 was released tomorrow we would still have the problem of Debian stable releases and other distros carrying older versions. Also ECDSA shares with DSA the serious disadvantage over RSA that making signatures on a system with a broken RNG can reveal the key. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5316bc2b.7040...@p10link.net
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On 5. 3. 2014, at 5:54, peter green plugw...@p10link.net wrote: I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) IMO we need to phase out 1024 bit RSA/DSA keys as soon as reasonablly practical. Even if gnupg 2.1 was released tomorrow we would still have the problem of Debian stable releases and other distros carrying older versions. You have convinced me :). Even though the attack surface is lowered by the fact that you would (probably) notice the malicious upload with your compromised key. But the reputation harm would still be there. Also ECDSA shares with DSA the serious disadvantage over RSA that making signatures on a system with a broken RNG can reveal the key. Care to share a source? I thought that RSA would be vulnerable to poor RNG as well. O. -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Wed, Mar 05, 2014 at 06:54:53AM +, Ondřej Surý wrote: Also ECDSA shares with DSA the serious disadvantage over RSA that making signatures on a system with a broken RNG can reveal the key. Care to share a source? I thought that RSA would be vulnerable to poor RNG as well. The algorithm. DSA and ECDSA need randomness in the signature process, see Wikipedia. RSA only takes randomness during key generation. Bastian -- Where there's no emotion, there's no motive for violence. -- Spock, Dagger of the Mind, stardate 2715.1 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140305065853.ga31...@mail.waldi.eu.org
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Wed, Mar 5, 2014, at 7:58, Bastian Blank wrote: On Wed, Mar 05, 2014 at 06:54:53AM +, Ondřej Surý wrote: Also ECDSA shares with DSA the serious disadvantage over RSA that making signatures on a system with a broken RNG can reveal the key. Care to share a source? I thought that RSA would be vulnerable to poor RNG as well. The algorithm. DSA and ECDSA need randomness in the signature process, see Wikipedia. RSA only takes randomness during key generation. I see, for the reference RFC6979 provides more information (and remedy for the problem). Thanks for the hint, I have googled for ECDSA broken RNG that didn't reveal the correct source. O. -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1394004176.29929.90741897.31dee...@webmail.messagingengine.com
Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Tue, Mar 4, 2014, at 21:33, Gunnar Wolf wrote: Ondřej Surý dijo [Tue, Mar 04, 2014 at 08:10:47PM +0100]: On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would it be possible to skip the RSA and go directly for ECDSA, before we start deprecating DSA? Or at least have an option to do so? (Well, unless GnuPG 2.1 release is too much far in the future.) Umh, I feel I have to answer this message, but I clearly don't have enough information to do so in an authoritative way¹. AIUI, ECDSA has not been shown to be *stronger* than RSA — RSA works based on modulus operations, ECDSA on curve crypto. ECDSA keys can be smaller and achieve (again, AIUI) the same level of security. But nothing so far shows that RSA will be broken before or after ECDSA. Barring somebody pointing me to the right place to read, my take would be that we should accept both RSA and ECDSA keys Yes. I didn't suggest that we drop RSA. (of what minimum size/strength?). These might provide a guidance (even for RSA key lengths). http://www.keylength.com/en/compare/#Biblio4 http://csrc.nist.gov/groups/ST/toolkit/key_management.html and http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf NIST seems to recommend at least 2048 bits for RSA and Curve P-256 for ECDSA O. -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1394004577.30973.90743553.7342f...@webmail.messagingengine.com
