riseup.net OpenPGP Best Practices article

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 26 17:26:16 CEST 2014 

On 06/26/2014 10:26 AM, Robert J. Hansen wrote:
> So in a very real sense, anything past RSA-2048 is at best a "you
> *might* get some additional security, depending on what symmetric
> algorithm your correspondent uses.  Oh, and you can't forbid your
> correspondent from using 3DES, either."

Of course you can't, but this is a terrible argument.  You can't forbid
your correspondent from sending you mail in the clear either.

At any rate, the document under discussion also encourages people to
advertise preferences for stronger ciphers, so correspondents using
tools which respect those advertised preferences (like GnuPG) *will* get
the increase in strength described.


The goal of this document is to encourage people to make sure that
crypto is not the weak point in their communications.  brute forcing
anything at a 2^103 security level [0] is likely infeasible, yes, but
brute-force isn't the only possible means of attack.  we don't know what
cryptanalytic improvements are known privately, but if anyone has a
speedup on the order of 2^30 (about a billion), then increasing the
keysize by about the same amount seems like a pretty reasonable safeguard.

Please read Bernstein's paper suggesting larger keysizes as a defense
against common parallel constructions (one form of speedup):

  http://cr.yp.to/snuffle/bruteforce-20050425.pdf

As for arguments about use on smartcards -- if you plan to get a
smartcard, and you have a primary key that is too large for it, you can
always generate and publish new subkeys that will fit in your smartcard.
 If that's the tradeoff that seems the most secure for you, that's fine,
and the fact that you were using stronger keys in your non-smartcard
implementation doesn't hurt you at all.  Smartcards are not a good
reason to object to larger keysizes for people who don't use smartcards.

The pushback of "don't bother using stronger crypto, something else will
be your problem" seems silly to me.  It's like saying "don't bother
fighting sexism, people are going hungry!"  We can (and should) push on
all of these fronts concurrently.

Regards,

	--dkg

[0] 2048-bit RSA is roughly equivalent to 103-bit symmetric crypto
according to ECRYPT-II:

 page 30 of http://www.ecrypt.eu.org/documents/D.SPA.20.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140626/c028dead/attachment.sig>

More information about the Gnupg-users mailing list