generating RSA key sizes > 4096

Christoph Roland Murauer christoph_murauer at yahoo.de
Fri Nov 29 20:22:17 CET 2013


Hello !

As Werner wrote ... the only source code on the GPGTools website is the one from the patched GPG2 version from the GPGTools team and not the one from the GnuPG project (if there is a link or information about it, then I don't found it). I don't know whether they provide the GPG 1 version as in the past in their installer because I don't use their installer / package. You can find more informations on https://gpgtools.org/opensource.html ... build your own opinion aboit it as I did.

@Ido : If you like another keysize, simple change the value in g10/keygen.c and build it from source (works also fine on Mac OS X 10.9). But keep the words from Robert in mind. Means, a long key and a good passphrase / mantra for your keyring prevents noone from copying your intire keyrings.

@Robert : I would not call it downstream distributions as Ido does. But package managers like Fink, MacPorts and Homebrew provide a switch to change the key size. Homebrew for example builds GPG with a keysize of 4096 KBit by default but you can use a switch (no patch in GnuPG - only a option in the Ruby script of Homebrew) to get 8192 KBit. You are right with the things you wrote about the key size and so on. The problem is, if a project like GPGTools provide bigger keys then people use it (and want it) without to ask about the background (generate a key / analyse a key) and so on ... 

The Homebrew project never say, that they provide a own GnuPG distribution but they want to make Unix (like) software available for everyone. As Example the installation formular for GnuPG 1 at https://github.com/mxcl/homebrew/blob/master/Library/Formula/gnupg.rb - if the software was built from source, then the source code was fetched from ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.15.tar.bz2. And the command brew home gpg opened the website www.gnupg.org.

C. M.


Am 29.11.2013 um 17:10 schrieb "Robert J. Hansen" <rjh at sixdemonbag.org>:

>> Currently, several downstream distributions of GnuPG patch the GPG code in
>> their packages to support generating RSA keys larger than 4096 bits large.
> 
> Which ones besides GPGTools?
> 
> The choice of what range of sizes to support is not a trivial one.  The
> overwhelming majority of OpenPGP installations max out at a 4kbit key.
> 
> Further, there has been no clear message from the cryptographic
> community that such a large key is in any way useful.  NIST believes a
> 2048-bit key will be secure for 30 years; ENISA recommends a 3072-bit
> key.  Allowing a 4096-bit key allows people to go far beyond all the
> current recommendations; why should it go further?
> 
> Additionally, this tends to promote an obsession with key size -- very
> often at the expense of other important factors.  Whether something is
> protected by 2048-bit RSA or 8192-bit RSA doesn't matter a damn, since
> no one with two brain cells to rub together will try cryptanalyzing the
> traffic.  They'll resort to other methods instead.
> 
> So, yeah, I don't see a point for this patch, I'm sorry to say.  I have
> severe doubts as to whether explicitly supporting extraordinarily large
> keys is something GnuPG needs to do, support, or facilitate.
> 
> (I am not a GnuPG developer and I have absolutely no say in the final
> decision, FYI.)
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel



More information about the Gnupg-devel mailing list