effects and incompatibilities between GPG1.0.6 and PGP CKT 0

[Kurt Fitzner]

On 08-Jul-2001 Graham wrote:
> 
>pplf> The CKT versions have been created to allow big keys (RSA 16k bits) and
>pplf> some others customisations.
>pplf> For info, PRZ has asked PGP users to not use these CKT versions for
>pplf> compatibility reasons.
> 
gt> PRZ asked that big keys not be used...

Imad has done just what software developers should.  Listen to reasonable
user requests, and design the requested functionality into the software without
judging those requests.

At the outset, I direct people to the excellent DH vs. RSA faq at:
http://www.scramdisk.clara.net/pgpfaq.html
I would ask you to read section 2.6, on "How big should my asymmetric key
be?".  It is excellently written, and lists its supporting documentation.

The CKT versions are useful both in their support of large keys, and in their
support of extra algorhythms.  I do not wish to debate the reasons for using
large keys.  I simply wish to point out that there are reasons for using large
keys, and whatever PRZ may think about those reasons (most of which he failed
to address in his statement against large keys), and whatever you may feel
about them, many people for both personal and industry use feel they are
necesary.

The job of software designers is not to debate why someone needs to print to
that network printer, but make the software do what people believe they need. 
The same applies to keys.  It is not a software designer's role to make
judements on the key size a user wants, unless it is completely unreasonable
and will hurt the functionality of the software.  It is the software
designer's role to make the software that satisfies the requirements of the
users.

I will add my reasons for desiring large keys at the end.  They are included
not to debate, but to for you to look at and determine if they represent a
reasonable request by a user to a developer.  I believe that Imad has done
exactly what a software developer should, and developed the CKT versions in
response to legitimate user requests.  I would encourage you to invite him into
the working group.
  
        Kurt


-- 
    _/_/_/ _/ _/    _/_/_/ _/_/_/ _/     _/_/_/ _/_/_/ _/_/  kfitzner@
   _/      _/_/    _/     _/     _/     _/       _/   _/ _/  excelcia.2y.net
  _/_/      _/    _/     _/_/   _/     _/       _/   _/_/_/
 _/        _/_/  _/     _/     _/     _/       _/   _/   _/  E-Dad
_/_/_/    _/ _/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/    _/  PGPid 0xF621EDAD
--

This is not to spark a debate - I do not want to see these reasons debated on
the list - debate them to me privately if you wish. This is here for you to
judge not whether you agree, but whether it is reasonable and as such, should
be taken seriously by software developers.

Reason to support creation of large (>2048) bit keys:

1) PRZ states "There is no advantage for using the keys larger than about
3000 bits" because "The 128-bit session keys have the same work factor to
break as a 3000 bit RSA or DH key".  He states that, because of this, they
"contribute nothing to security".  This fails to take into account that if you
break a symetric key, you gain access to only one message, while if you break
the asymetric key, you gain access to every message ever written.
  It is also useful to note that symetric keys are moving into the 256 bit
range.  By PRZ's own logic (reversed), it then makes the asymetric key the
weak link.

2) Authentication is always more important than encryption.  This is because
authentication is both needed for its own sake, and because the entire web of
trust for encryption is built on authentication.  You cannot send an
encrypted message to someone if you cannot authenticate their public key. 
Everything hinges on verification, yet the move is to smaller signature keys.
  Once 1024 bit signature keys are shown to be insecure, you cannot simply move
to a larger signature key and transfer the trust from the smaller key.  Can you
transfer the trust of a broken key?  Many people (the author included) live in
areas where PGP usage is small, and getting inserted into that web of trust is
difficult.  Having to regain the trust and get back into the web of trust may
be a severe hardship for someone who must move to a larger key because smaller
keys are no longer secure.
  There will be severe damage to the entire web of trust if a scramble has to
be made to move to larger signatures.

3) CPU cycles are cheap.  Hard drives space is cheap.  PRZ states that large
keys "burden keyseyservers and everyone's keyrings" and that they "slow
everything down".  On a 386, a 4096 bit key might be burdensome to the CPU. 
Right now I use a Pentium 166 for my kids and family use in general.  It
can sign a 5120 bit key with little slowdown.  I don't expect anyone has a
computer in general use that is slower than that.
  With streaming media, whole CD and DVD ROM contents being downloaded over
the net, even if every email user in the world adopted PGP and used 4096 keys
to sign every mesage, the added traffic would be lost in the general traffic
on the net today.

4) PRZ states that large keys "undermine other people's faith in their own
keys that are of appropriate size".  My only response to this is... good.
  PRZ is not a cryptographer.  I am not a cryptographer.  Here is what a
cryptographer has to say: "If 512-bit keys are insecure today, they were just
as insecure last month. Anyone implementing RSA should have moved to 1028-bit
keys years ago, and should be thinking about 2048-bit keys today. It's tiring
when people don't listen to cryptographers when they say that something is
insecure, waiting instead for someone to actually demonstrate the insecurity."
(B.Schneier, Crypto-Gram, Counterpane, 15th Sept 1999).
  Now, if you are one of those users who must move from 1024 bit to 2048 bit
today, what does that do to your web of trust?  See point 2 above.  If 2048
bit keys are ok today, do you really, considering how easy and cheap it is to
go larger, want to have to go through the work of going larger in 5 years? 

Closing:
I respect PRZ, I am thankful for his advocacy and work on PGP.  I am glad he
put it on the line when it was needed in order to help win my right to use
this software today.  However, I think on large keys he was wrong.  I do not
believe that his statements should be the be-all end-all.  I believe that they
should be judged on their merit.

I personally use a 2048 key for every-day use.  I have, however, creatd a
master 5120 bit key for my family, and gave this key revocation authority over
my every-day key.  If and when I ever find people who can sign my key to help
me into the web ot trust, I will have them sign my large family key.  I
believe this is a very legitimate use of large keys.