Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 9:08 PM, John Clizbe j...@enigmail.net wrote: Larger and larger RSA keys aren't the solution, ECC is. The balance of power has tipped away from RSA and toward ECC. Feel free to ignore everything I've said. There's no reason you should trust me. But by all means, keep asking questions. But everything I've read agrees larger and larger RSA keys are not the path forward. I agree with you entirely, I'm just waiting for the various standards to pick it up, and for more people to use it. When many people (whose opinion I value) use and trust it, I will also. Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 10:11 PM, Robert J. Hansen r...@sixdemonbag.org wrote: A lot of people like to refer to _Applied Cryptography_ or _The Handbook of Applied Cryptography_ for information on algorithms, and for very good reason: they've generally got excellent information. They are also old books. _AC_ is coming up on twenty years old, for instance, and _HoAC_ isn't much younger. At the time these books were written the jury was still out on whether ECC had firm theoretical underpinnings. Nowadays the jury is back, and ECC is generally recognized as being as reputable as RSA, DSA or Elgamal. Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 2/1/12 9:43 AM, Chris Poole wrote: Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? Many. The real question is what level of depth you want. Googling for nsa suite b qould be a pretty good starting place, probably. The National Security Agency has approved the use of ECC for classified material as part of their Suite B cryptography package. As is the case with most government standards there is ample documentation about everything from the theoretical to the practical, although it isn't all collected in one place. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Wed, 1 Feb 2012 15:43, li...@chrispoole.com said: Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? @book{Hankerson:2003:GEC:940321, author = {Hankerson, Darrel and Menezes, Alfred J. and Vanstone, Scott}, title = {Guide to Elliptic Curve Cryptography}, year = {2003}, isbn = {038795273X}, url = {http://www.cacr.math.uwaterloo.ca/ecc/}, publisher = {Springer-Verlag New York, Inc.}, address = {Secaucus, NJ, USA}, } It is similar to the already mentioned HAC. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1 Feb 2012, at 15:00, Robert J. Hansen r...@sixdemonbag.org wrote: Googling for nsa suite b qould be a pretty good starting place, probably. The National Security Agency has approved the use of ECC for classified material as part of their Suite B cryptography package. As is the case with most government standards there is ample documentation about everything from the theoretical to the practical, although it isn't all collected in one place. Thanks, I didn't realise this; it's left me with plenty of reading to do. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1 Feb 2012, at 15:41, Werner Koch w...@gnupg.org wrote: @book{Hankerson:2003:GEC:940321 Thank you, that's useful. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Sun, Jan 22, 2012 at 4:02 AM, Robert J. Hansen r...@sixdemonbag.org wrote: A 1024-bit key has about an 80-bit keyspace, which is a factor of 16 million larger. Given the advances in supercomputing in the last decade it is reasonable to believe 1024-bit keys are either breakable now or will be in the near future, but only at incredible cost. If the only purpose of the primary key (in my case, where I have subkeys for signing and encryption) is to sign the subkeys, why not simply make it stupidly large? Equivalent to 256 bits with a symmetric cipher, or 512 bits? Then, simply issue 2048 bit keys for encryption or signing as and when required, all signed by this master key. It would not really be used in day to day duties, since the subkeys will be used for this. (I guess, assuming of course that a key strengthening or lengthening algorithm is used for the primary key.) Cheers, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 02:18:54PM +, Chris Poole wrote: If the only purpose of the primary key (in my case, where I have subkeys for signing and encryption) is to sign the subkeys, why not simply make it stupidly large? Equivalent to 256 bits with a symmetric cipher, or 512 bits? Because it's also used to sign other people's keys. Using a very large key (for 256-bit equivalence, ~15kbits) makes verification so slow as to be unusable. You have to not only verify signatures on other keys but also the signatures on the subkeys. This is less of a problem with implementations that verify signatures only once and then cache the results, but most implementations do not do that. Also, there's nothing preventing people from actually signing data with the primary key, so someone who is unfamiliar with your strategy might accidentally use a single, very large key. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1/23/12 9:18 AM, Chris Poole wrote: If the only purpose of the primary key (in my case, where I have subkeys for signing and encryption) is to sign the subkeys How do you enforce that? If it is technically possible to sign a document with your primary key, then good luck telling a judge no, Your Honor, this signature isn't valid, it was made with my primary key and I only use my signing subkey for documents. You may say the only purpose of the primary key is to sign the subkeys, but if it's technically possible for the primary key to sign documents then the purpose of the primary key is to sign documents. This is why I think it's kind of absurd to have a larger signing subkey than the primary key. The weak link in the chain is going to be the primary key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 6:16 PM, Robert J. Hansen r...@sixdemonbag.org wrote: You may say the only purpose of the primary key is to sign the subkeys, but if it's technically possible for the primary key to sign documents then the purpose of the primary key is to sign documents. This is why I think it's kind of absurd to have a larger signing subkey than the primary key. The weak link in the chain is going to be the primary key. That makes sense, thanks. Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 4:52 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Because it's also used to sign other people's keys. Using a very large key (for 256-bit equivalence, ~15kbits) makes verification so slow as to be unusable. You have to not only verify signatures on other keys but also the signatures on the subkeys. That was what I hadn't thought about. Thanks for bringing it to my attention. Cheers, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
Chris Poole wrote: On Mon, Jan 23, 2012 at 4:52 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Because it's also used to sign other people's keys. Using a very large key (for 256-bit equivalence, ~15kbits) makes verification so slow as to be unusable. You have to not only verify signatures on other keys but also the signatures on the subkeys. That was what I hadn't thought about. Thanks for bringing it to my attention. Just to point out an important data point on the key size front. To a degree, larger keys are better. However, 4096-bit RSA keys are never going to be a standard. http://lists.gnupg.org/pipermail/gnupg-users/2010-December/040103.html Depending on the source, a consensus seems to be forming that beyond a 2048 or 3072 bit modulus for DSA2 or RSA, folks need to switch to ECC. Larger and larger RSA keys aren't the solution, ECC is. The balance of power has tipped away from RSA and toward ECC. Feel free to ignore everything I've said. There's no reason you should trust me. But by all means, keep asking questions. But everything I've read agrees larger and larger RSA keys are not the path forward. -John -- John P. Clizbe Inet: John ( a ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1/23/12 4:08 PM, John Clizbe wrote: Depending on the source, a consensus seems to be forming that beyond a 2048 or 3072 bit modulus for DSA2 or RSA, folks need to switch to ECC. Emphatic agreement -- this is clarification, not dispute: A lot of people like to refer to _Applied Cryptography_ or _The Handbook of Applied Cryptography_ for information on algorithms, and for very good reason: they've generally got excellent information. They are also old books. _AC_ is coming up on twenty years old, for instance, and _HoAC_ isn't much younger. At the time these books were written the jury was still out on whether ECC had firm theoretical underpinnings. Nowadays the jury is back, and ECC is generally recognized as being as reputable as RSA, DSA or Elgamal. [1] ECC will be coming to OpenPGP sooner or later, and probably sooner. I'd be astonished if we didn't have ECC by, say, 2017. [1] You can thank Fermat for this. It turns out that proving Fermat's Last Theorem was instrumental in establishing the correctness of ECC. In 1995, Andrew Wiles proved the Taniyama-Shimura conjecture over semi-stable elliptic curves. This in turn proved Fermat's Last Theorem, and directly led to cryptographers having confidence in elliptical curve cryptography. So the next time someone presents Fermat's Theorem as a mathematical curiosity with no practical purpose, tell them the next generation of encryption algorithms begs to differ... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
Am Freitag, 20. Januar 2012, 21:15:29 schrieb Chris Poole: The encryption and signing is still being done by the subkeys, so is it simply that they're signed by the parent 1024-bit key, and this key is easier to fake? Yes. If the main key is compromised then a) certifications for other keys can be forged (of course, anyone being attacked by that could see that the key whose certification he is going to rely on is that short) b) new subkeys for that key can be created If the attacker is capable of a man-in-the-middle attack then he can send the compromised key when the attacked person makes a keyserver update. This way noone would notice the manipulation (not even the key owner when checking what's on the keyservers). Afterwards data would be encrypted to the wrong key and signatures by the attackers subkey would be accepted. Another attack szenario is that the whole key can be revoked when you need it. People do not send you important, urgent information because they do not have a valid key to encrypt to. Or you have to sign something in time but do not have a key which is accepted be the recipient. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1/20/2012 3:15 PM, Chris Poole wrote: Since it's now recommended (to my knowledge) to use 2048-bit keys and above, how does having a 1024-bit keypair affect me? It depends entirely on what you're doing with it. Breaking a 1024-bit key is within the realm of possibility for a ridiculously well-funded adversary. It hasn't been publicly demonstrated yet, but it's a matter of time. Over a decade ago, the state of the art was to break a 56-bit keyspace in under 24 hours for $250,000. A 1024-bit key has about an 80-bit keyspace, which is a factor of 16 million larger. Given the advances in supercomputing in the last decade it is reasonable to believe 1024-bit keys are either breakable now or will be in the near future, but only at incredible cost. If I was signing nuclear weapon authorization codes, I would not trust 1024-bit DSA. Nor would I trust it if I was signing a 30-year mortgage. On the other hand, for most normal email usage 1024-bit crypto is still plenty enough. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
1024 key with 2048 subkey: how affected?
Hi, I created a gpg keypair a while ago, when the default was still 1024D. This has a 4096g encryption subkey, and a 2048D signing subkey. Since it's now recommended (to my knowledge) to use 2048-bit keys and above, how does having a 1024-bit keypair affect me? The encryption and signing is still being done by the subkeys, so is it simply that they're signed by the parent 1024-bit key, and this key is easier to fake? Thanks, Chris Poole ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users