Re: [gpgtools-users] "This key may be unsafe"

[Alexander Willner]

Hi,

in this context: http://www.keylength.com/en/compare/

Best regards, Alex


On 07.03.2011, at 22:03, Charly Avital wrote:

> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
> for *any* key with a length equal or inferior to 1024 bits.
> 
> GPG Keychain Access 0.8.4 is a GUI for key management for Mac users.
> 
> 
> A Google search with key sentence "This key maybe unsafe" between
> inverted commas, to limit the search to the whole sentence, displays
> hits that relate directly or indirectly (Twitter) only to GPGTools' lists.
> 
> I am cross-posting to gnupg-users to try and get more feedback about
> this issue:
> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
> If so, how are they unsafe?
> Where is this key length unsafe situation documented?
> 
> As a personal example, my primary key A57A8EFA is a DSA "old" 1024 bit
> key, but its encryption subkey is 2048 bit long, and I use a sign-only
> 2048 bit long RSA subkey. I also get that red warning with GPG Keychain
> Access 0.8.4
> 
> TIA.
> Charly
> 
> 
> 
> 
> 
> ___
> gpgtools-users mailing list
> gpgtools-us...@lists.gpgtools.org
> FAQ: http://www.gpgtools.org/faq.html
> Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users
> Unsubscribe: 
> http://lists.gpgtools.org/mailman/options/gpgtools-users/a...@willner.ws?unsub=Unsubscribe&unsubconfirm=1
> 
> This email sent to: a...@willner.ws



smime.p7s
Description: S/MIME cryptographic signature


PGP.sig
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Charly Avital]

Hi,

thanks to all who answered, explained and referred.

As far as I am concerned, I am satisfied, documented, and again, grateful.

Charly



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Ben McGinnes]

On 8/03/11 2:09 PM, Jean-David Beyer wrote:
> 
> I run Red Hat Enterprise Linux 5.6 (the latest of the RHEL5 series)
> and they are only up to gnupg-1.4.5-14.el5_5.1, They will probably
> not move up until RHEL 6 (that I believe has just recently come
> out).

It has, a couple of months ago.

> It looks as though that one is: gnupg2-2.0.14-4.el6.i686 (for my
> 32-bit machines); unless I am confused.

I would recommend compiling GnuPG 1.4.11 in in /usr/local/src or
/opt/local/src (the latter will require specifying the prefix and
eprefix flags).  I've done this on a CentOS 5.5 system, so I know it
will work for you.  There's no problem with installing this and
leaving the default package in place, just remember that
/usr/local/bin/gpg (or /opt/local/bin/gpg) will be different from
/usr/bin/gpg.


Regards,
Ben




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Jean-David Beyer]

Grant Olson wrote:

> Here's a case where the difference between < and <= is HUGE.
> 
> gnupg 1.4 only switched the defaults from 1024 DSA/ElGamal to 2048
> RSA/RSA in 1.4.10, which isn't even two years old.  I still see plenty
> of boxes in the wild that only have 1.4.9, and not just those ones that
> are old and creaky and people are afraid to reboot for fear of an actual
> hardware failure.
> 
> Like you said, I would avoid creating one that size now, but even just a
> year-and-a-half ago, your mantra of "use the defaults unless you know
> what you're doing" would have resulted in 1024 bit keys for most users.
> 
> Meanwhile, warning about keys < 1024 bit would be a little more
> practical, at least until ECC hits the standard.
> 
I run Red Hat Enterprise Linux 5.6 (the latest of the RHEL5 series) and
they are only up to gnupg-1.4.5-14.el5_5.1, They will probably not move
up until RHEL 6 (that I believe has just recently come out). It looks as
though that one is: gnupg2-2.0.14-4.el6.i686  (for my 32-bit machines);
unless I am confused.

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A Registered Machine   241939.
 /( )\ Shrewsbury, New Jerseyhttp://counter.li.org
 ^^-^^ 21:50:01 up 4 days, 6:51, 3 users, load average: 4.73, 4.72, 4.92

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Jeffrey Walton]

On Mon, Mar 7, 2011 at 4:03 PM, Charly Avital  wrote:
> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
> for *any* key with a length equal or inferior to 1024 bits.
>
> GPG Keychain Access 0.8.4 is a GUI for key management for Mac users.
> 
>
> A Google search with key sentence "This key maybe unsafe" between
> inverted commas, to limit the search to the whole sentence, displays
> hits that relate directly or indirectly (Twitter) only to GPGTools' lists.
Search for Security Levels and then take a look at NIST SP 800-57
(Table 2, Comparable Strengths), SP 800-131, or ECRYPT2's "Yearly
Report on Algorithms and Keysizes"

> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
It depends on whom you ask. NIST say yes under most situations, others
say no. Lenstra, et al feel 1024 RSA/P-160 ECC will hold until 2020
with an acceptable amount of risk. See "On the Security of 1024-bit
RSA and 160-bit Elliptic Curve Cryptography"

> If so, how are they unsafe?
The bad guy can recover your secrets because the "work" to break the
key is too easy.

> Where is this key length unsafe situation documented?
See above.

> As a personal example, my primary key A57A8EFA is a DSA "old" 1024 bit
> key, but its encryption subkey is 2048 bit long, and I use a sign-only
> 2048 bit long RSA subkey. I also get that red warning with GPG Keychain
> Access 0.8.4
A 1024 bit key has a security level of about 80 bits. The 2048 bit key
holds about 112 bits of security.

The bad guy has two choices: break the 1024 signing key (80 bits of
security), or allow you to send an ephemeral key comparable to a 2048
bit modulu (112 bits of security) and break the 2048 ephemeral key. He
either attacks the 1024 bit key, or the 2048 bit key. He choice is
simple: break your signing key (1024 bits), then step in the middle
and sign an ephemeral key of his choosing (pretending to be you).

As a side note, most SSL certificates I have looked at mismatch
security levels also. GeoTrust just issued me two certificates signed
with SHA-1. Yet my keys were RSA 2048/SHA-224. The bad guy should
attack GeoTrust's weaker signature rather than my authentication keys
:(

Jeff

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Grant Olson]

On 3/7/11 5:32 PM, Robert J. Hansen wrote:
> On 3/7/11 4:03 PM, Charly Avital wrote:
>> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
> 
> A 1024-bit key is believed to be roughly comparable to an 80-bit
> symmetric key.  I am comfortable saying this is a reasonable level of
> security for the next few years for people who are not worried about
> being targeted by people who can afford to drop a few million dollars on
> cryptanalysis.
> 
> It is not a wise choice for long-term security, but I am not comfortable
> calling it "unsafe" for most users.
> 
> 

Here's a case where the difference between < and <= is HUGE.

gnupg 1.4 only switched the defaults from 1024 DSA/ElGamal to 2048
RSA/RSA in 1.4.10, which isn't even two years old.  I still see plenty
of boxes in the wild that only have 1.4.9, and not just those ones that
are old and creaky and people are afraid to reboot for fear of an actual
hardware failure.

Like you said, I would avoid creating one that size now, but even just a
year-and-a-half ago, your mantra of "use the defaults unless you know
what you're doing" would have resulted in 1024 bit keys for most users.

Meanwhile, warning about keys < 1024 bit would be a little more
practical, at least until ECC hits the standard.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe"

[Robert J. Hansen]

On 3/7/11 4:03 PM, Charly Avital wrote:
> Are keys whose length is equal or inferior to 1024 bits *unsafe*?

A 1024-bit key is believed to be roughly comparable to an 80-bit
symmetric key.  I am comfortable saying this is a reasonable level of
security for the next few years for people who are not worried about
being targeted by people who can afford to drop a few million dollars on
cryptanalysis.

It is not a wise choice for long-term security, but I am not comfortable
calling it "unsafe" for most users.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "This key may be unsafe" - Redux

[David Tomaschik]

This key length concern is highly dependent on the threat model.  I
believe RSA-1024 is likely safe TODAY for MOST attacks.  That being
said, I could not, in good conscience, suggest that anyone generate a
1024 bit key today -- the lifetime on that is probably too short, and
almost any device (including most mobile devices that can handle some
form of OpenPGP) should be able to handle at least 2048 bit without
much trouble.  Section 5.6 of NIST Publiction 800-57
(http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf)
is the best guidance I use for key length selection.  NIST recommended
that use of 1024 bit RSA-type (IFC) keys be discontinued in 2010.
2048 is recommended through 2030.  I use a 4k master key
(certification only) and 3k keys for encrypt and sign.  Yes, this is
perhaps a bit paranoid, but I have yet to run into any device where I
feel the delay is unacceptable (my android phone included).

I don't believe that GPG alerts on key lengths at all, but it does
have suggested lengths at key generation time.

David


On Mon, Mar 7, 2011 at 4:41 PM, Charly Avital  wrote:
>> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
>> for *any* key with a length equal or inferior to 1024 bits.
> [...]
>
>>
>> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
>> If so, how are they unsafe?
>> Where is this key length unsafe situation documented?
>
> I am not aware of any GnuPG command in Terminal that would display or
> warn about this situation. Is there any, or should there be any?
>
>
> [...]
>
> TIA.
> Charly
>
>
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
da...@systemoverlord.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"This key may be unsafe" - Redux

[Charly Avital]

> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
> for *any* key with a length equal or inferior to 1024 bits.
[...]

> 
> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
> If so, how are they unsafe?
> Where is this key length unsafe situation documented?

I am not aware of any GnuPG command in Terminal that would display or
warn about this situation. Is there any, or should there be any?


[...]

TIA.
Charly






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"This key may be unsafe"

[Charly Avital]

GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
for *any* key with a length equal or inferior to 1024 bits.

GPG Keychain Access 0.8.4 is a GUI for key management for Mac users.


A Google search with key sentence "This key maybe unsafe" between
inverted commas, to limit the search to the whole sentence, displays
hits that relate directly or indirectly (Twitter) only to GPGTools' lists.

I am cross-posting to gnupg-users to try and get more feedback about
this issue:
Are keys whose length is equal or inferior to 1024 bits *unsafe*?
If so, how are they unsafe?
Where is this key length unsafe situation documented?

As a personal example, my primary key A57A8EFA is a DSA "old" 1024 bit
key, but its encryption subkey is 2048 bit long, and I use a sign-only
2048 bit long RSA subkey. I also get that red warning with GPG Keychain
Access 0.8.4

TIA.
Charly






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users