Key length for integer- and finite-field cryptography
Robert J. Hansen
rjh at sixdemonbag.org
Thu Aug 7 19:32:27 CEST 2014
> Take-home: If you are using AES-256, you should max out your key size
> in GnuPG. (It is regrettable that only some versions seem to support
> strong key-sizes.)
Good grief, *no*, *no*, *no*.
This keeps on getting dusted off, and the answer never changes. Please
forgive me if I'm a little irate here, but I'm getting really tired of
people who bring this up without checking the mailing list history.
*If you require 256 bits of entropy throughout, you need to use
something other than GnuPG.* PGP stands for "Pretty Good Privacy." Not
perfect privacy, just pretty good, and not 256 bits of entropy
through-and-through. In fact, OpenPGP can only really be relied upon to
provide 112 bits of entropy[*].
The take-home is the same as it's always been. "If you need X bits of
entropy, check to make sure each step in the link provides at least X
bits. If some provide more, that's fine."
The average user will be well-served by 112 bits of entropy. That means
RSA-2048 works just fine for the average case. If a user who's
well-served by 112 bits of entropy wants to use AES-256, there's nothing
wrong with that, and the suggestion that they should revoke their
certificate and patch GnuPG to produce 16kbit keys is *just* *flamingly*
Using AES-256 is *not* a good reason to start using RSA-16k.
[*] if you want to know why this is the case, check the mailing list.
Short version: you have no control over what algorithms your
correspondents use, and they can always choose 3DES.
More information about the Gnupg-devel