does gpg cope with very large key sizes
David Shaw
dshaw at jabberwocky.com
Thu Sep 10 05:09:49 CEST 2009
On Sep 9, 2009, at 6:43 PM, Philippe Cerfon wrote:
> Hi list and GnuPG developers!
>
>
> Let me introduce myself,... I'm Philippe Cerfon and I'm currently
> taking some crypto-lectures... including all that fancy algorithms
> and so on ;-)
> Out of curiosity I was starting some test series on how key creation
> time and encryption/signing time relates to key sizes.
> I soon found out that gpg puts a limit on keys at 4096 bits which is
> surely reasonable for real world but somewhat disturbing my test.
>
> I was looking into the gnupg mailing list archives and found out
> that gpg is said to be able to work with larger keys. I've also seen
> that this topic is well somewhat critical, so to say it in
> advance,.. this only for trying and playing :)
>
> So I grepped the sources (for both version 1.x and 2.x) and found
> that the limit is enfored here:
> g10/keygen.c: unsigned nbits, min, def=2048, max=4096;
Yes.
> So all I must to is e.g. set max = 65536 or even something higher ;-)
> Right so far?
Right, but you may be surprised how long it takes to generate a really
massive key. The key generation code is single-threaded, and
generally not optimized for really big keys.
> So my questions now are:
> - Is it done with changing the max or would I have to change some
> other places too in order to make everything work correctly (e.g.
> these max_length's or so)?
You should be okay with changing the ones in keygen.c.
> - Or is in everything ok,.. and there's just this max=something in
> g10/keygen.c where you save users from shooting into their feets by
> creating to large keys but nothing else?
Pretty much true if your goal is to just do performance testing with
different sizes. I certainly wouldn't actually use such a key in the
real world, though.
David
More information about the Gnupg-devel
mailing list