multiple subkeys and key transition

John Clizbe JPClizbe at tx.rr.com
Thu Dec 9 23:28:08 CET 2010 

Robert J. Hansen wrote:
> On 12/9/10 1:30 PM, Ben McGinnes wrote:
> 
> If/when the time comes for SHA-1 to be completely removed from OpenPGP,
> the migration path will quite likely involve new keys -- the same way
> that the V3/V4 migration path in the past necessitated new keys.
> 
>> Since I prefer a more long-term approach, this should eventually lead
>> to 8,192-bit encryption keys when 4,096-bit becomes the default.
> 
> It is unlikely it ever will.  3K RSA keys are believed to be equivalent
> to a 128-bit symmetric key.  If computational power ever develops to
> that point, the solution is going to involve moving to entirely
> different algorithms instead of just tacking on another couple of bits.

Big ACK to what Rob just said.

Why 8192? 4096 RSA is extremely *unlikely* to ever be a default. Over the
summer, readers of the [Cryptography] mailing list were reminded that in 1993
folks thought that 1024-bit RSA 'should be ok (safe from key-factoring attacks)
for "a few decades".' A later post in that same thread went on to compare
equivalent strengths of RSA, symmetric keys and Elliptic Curve (ECC) keys.

How do elliptic curves compare to RSA today?

From the National Institutes of Science and Technology (one of the gold
standards for engineering know-how):

 RSA    ECC    Sym
 1024   160     80
 2048   224    112
 3072   256    128
 7680   384    192
15360   512    256

These recommendations can be found on page 63 of NIST Special
Publication 800-57, Recommendations for Key Management, Part I. 2nd Revision,
8 Mar, 2007.
[http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf]

112-bit symmetric is usually a reference to [three-key] 3DES.
(It's worth noting that most people in the crypto community are *deeply*
skeptical of any claims that 3DES can be cracked.  If 112 bits of
symmetric encryption are good enough for your purposes, then RSA-2048
should also be good enough for your purposes.)

That is to say, a 3072 bit RSA key is as tough as an ECC key based on a 256
bit field, which is as tough as a 128 bit symmetric key.

ECC cryptosystems on 256 bit field are practical today. 3072 bit RSA systems
are not.

The NSA's 2010 Suite-B[4] recommendations are:
     Type     Symmetric   Elliptic Curve    Hash
    Secret       128         256             256
   Top Secret    256         384             384

A key aspect of Suite B is its use of elliptic curve technology instead of
classical public key technology. During the transition to the use of elliptic
curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a
2048-bit modulus to protect classified information up to the _secret_ level
[http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml].

So, depending on the source, a consensus seems to be forming that beyond a 2048
or 3072 bit modulus for DSA2 or RSA, folks need to switch to ECC.

2048-RSA is the current default in GnuPG. OpenPGP cards will support up to
3072-bit RSA; GnuPG up to 4096-bit RSA and 3072-bit DSA2. ECC in OpenPGP is on
its way toward becoming a RFC and being included in OpenPGP. Larger and larger
RSA keys aren't the solution, ECC is. The balance of power has tipped away from
RSA and toward ECC.



Feel free to ignore everything I've told you. There's no reason you should trust
me. But by all means, keep asking questions. But everything I've read agrees
longer RSA are not the path forward.

-John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101209/c2970813/attachment.pgp>

More information about the Gnupg-users mailing list