effects and incompatibilities between GPG1.0.6 and PGP CKT 0

Kurt Fitzner kurt-fitzner@home.com
Sun Jul 8 23:42:01 2001

On 08-Jul-2001 Graham wrote:

>pplf> The CKT versions have been created to allow big keys (RSA 16k bits) and
>pplf> some others customisations.
>pplf> For info, PRZ has asked PGP users to not use these CKT versions for
>pplf> compatibility reasons.
gt> PRZ asked that big keys not be used... Imad has done just what software developers should. Listen to reasonable user requests, and design the requested functionality into the software without judging those requests. At the outset, I direct people to the excellent DH vs. RSA faq at: http://www.scramdisk.clara.net/pgpfaq.html I would ask you to read section 2.6, on "How big should my asymmetric key be?". It is excellently written, and lists its supporting documentation. The CKT versions are useful both in their support of large keys, and in their support of extra algorhythms. I do not wish to debate the reasons for using large keys. I simply wish to point out that there are reasons for using large keys, and whatever PRZ may think about those reasons (most of which he failed to address in his statement against large keys), and whatever you may feel about them, many people for both personal and industry use feel they are necesary. The job of software designers is not to debate why someone needs to print to that network printer, but make the software do what people believe they need. The same applies to keys. It is not a software designer's role to make judements on the key size a user wants, unless it is completely unreasonable and will hurt the functionality of the software. It is the software designer's role to make the software that satisfies the requirements of the users. I will add my reasons for desiring large keys at the end. They are included not to debate, but to for you to look at and determine if they represent a reasonable request by a user to a developer. I believe that Imad has done exactly what a software developer should, and developed the CKT versions in response to legitimate user requests. I would encourage you to invite him into the working group. Kurt -- _/_/_/ _/ _/ _/_/_/ _/_/_/ _/ _/_/_/ _/_/_/ _/_/ kfitzner@ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ excelcia.2y.net _/_/ _/ _/ _/_/ _/ _/ _/ _/_/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ E-Dad _/_/_/ _/ _/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/ _/ PGPid 0xF621EDAD -- This is not to spark a debate - I do not want to see these reasons debated on the list - debate them to me privately if you wish. This is here for you to judge not whether you agree, but whether it is reasonable and as such, should be taken seriously by software developers. Reason to support creation of large (>2048) bit keys: 1) PRZ states "There is no advantage for using the keys larger than about 3000 bits" because "The 128-bit session keys have the same work factor to break as a 3000 bit RSA or DH key". He states that, because of this, they "contribute nothing to security". This fails to take into account that if you break a symetric key, you gain access to only one message, while if you break the asymetric key, you gain access to every message ever written. It is also useful to note that symetric keys are moving into the 256 bit range. By PRZ's own logic (reversed), it then makes the asymetric key the weak link. 2) Authentication is always more important than encryption. This is because authentication is both needed for its own sake, and because the entire web of trust for encryption is built on authentication. You cannot send an encrypted message to someone if you cannot authenticate their public key. Everything hinges on verification, yet the move is to smaller signature keys. Once 1024 bit signature keys are shown to be insecure, you cannot simply move to a larger signature key and transfer the trust from the smaller key. Can you transfer the trust of a broken key? Many people (the author included) live in areas where PGP usage is small, and getting inserted into that web of trust is difficult. Having to regain the trust and get back into the web of trust may be a severe hardship for someone who must move to a larger key because smaller keys are no longer secure. There will be severe damage to the entire web of trust if a scramble has to be made to move to larger signatures. 3) CPU cycles are cheap. Hard drives space is cheap. PRZ states that large keys "burden keyseyservers and everyone's keyrings" and that they "slow everything down". On a 386, a 4096 bit key might be burdensome to the CPU. Right now I use a Pentium 166 for my kids and family use in general. It can sign a 5120 bit key with little slowdown. I don't expect anyone has a computer in general use that is slower than that. With streaming media, whole CD and DVD ROM contents being downloaded over the net, even if every email user in the world adopted PGP and used 4096 keys to sign every mesage, the added traffic would be lost in the general traffic on the net today. 4) PRZ states that large keys "undermine other people's faith in their own keys that are of appropriate size". My only response to this is... good. PRZ is not a cryptographer. I am not a cryptographer. Here is what a cryptographer has to say: "If 512-bit keys are insecure today, they were just as insecure last month. Anyone implementing RSA should have moved to 1028-bit keys years ago, and should be thinking about 2048-bit keys today. It's tiring when people don't listen to cryptographers when they say that something is insecure, waiting instead for someone to actually demonstrate the insecurity." (B.Schneier, Crypto-Gram, Counterpane, 15th Sept 1999). Now, if you are one of those users who must move from 1024 bit to 2048 bit today, what does that do to your web of trust? See point 2 above. If 2048 bit keys are ok today, do you really, considering how easy and cheap it is to go larger, want to have to go through the work of going larger in 5 years? Closing: I respect PRZ, I am thankful for his advocacy and work on PGP. I am glad he put it on the line when it was needed in order to help win my right to use this software today. However, I think on large keys he was wrong. I do not believe that his statements should be the be-all end-all. I believe that they should be judged on their merit. I personally use a 2048 key for every-day use. I have, however, creatd a master 5120 bit key for my family, and gave this key revocation authority over my every-day key. If and when I ever find people who can sign my key to help me into the web ot trust, I will have them sign my large family key. I believe this is a very legitimate use of large keys.