How secure is GnuPG

Brian M. Carlson karlsson@hal-pc.org
Wed Jul 24 03:43:01 2002 

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 23, 2002 at 09:07:18PM -0400, David Shaw wrote:
> On Tue, Jul 23, 2002 at 05:27:31PM -0400, Daniel Carrera wrote:
> > > RSA signatures get larger in proportion to the size of the key.  If
> > > you are going to sign emails and such, be warned that a really big
> > > signing key is going to mean one huge signature at the bottom.  DSA
> > > signatures are very small.
> >=20
> > Do you suggest using DSA for signatures?
> > Is a 1024-bit DSA comparible, security-wise, to a 1024-bit RSA or ElGam=
al?
>=20
> DSA and ElGamal are based on the same underlying hard problem, so
> 1024-bit DSA and 1024-bit ElGamal are very similar security-wise.
> Note that DSA doesn't encrypt and ElGamal doesn't (usually) sign.

Well, I use Elgamal to sign sometimes. But there are only 28 Elgamal
type 20 (sign and encrypt) keys on the servers. By the way, I found out
that Taher Elgamal spells his name with a lower case "g". He also
allegedly has an OpenPGP key (0x507A237A).

> They work well as a pair of keys.
>=20
> > Is DSA a symmetric algorithm or is it asymmetric like RSA?  I ask becau=
se
> > I know that symmetric algorithms can achieve the same security for much
> > smaller keys.
>=20
> DSA is asymmetric.
>=20
> > > But seriously - forget all that.  The real question to ask yourself is
> > > *what do you want to do?*  The overwhelming majority of the time,
> > > people end up with a DSA signing key (1024, the maximum) and an
> > > ElGamal encryption key (2048-4096).  That is a good all-round safe
> > > choice for many uses (email being the most common example).
> >=20
> > Why is 1024 the maximum for DSA?  That's interesting.
>=20
> That's the spec.  I believe it was chosen to be somewhat in balance
> (with regards to strength) with the 160-bit hash that DSA also uses.

It can be anywhere from 512 bits to 1024 bits, but according to OpenPGP,
it should (MUST?) be at least 768 bits. Also, OpenPGP states its hash
algorithm MUST be 160 bits, but DSS (the standard which defines DSA)
states that the hash algorithm MUST be SHA1.

--=20
Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553=
E7
Do not sleep in a eucalyptus tree tonight.

--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQFKBAEBAwA0BQI9PgZbLRpodHRwOi8vZGVjb3kud294Lm9yZy9+Ym1jL29wZW5w
Z3AvcG9saWN5LnRleAAKCRDlkf/JVgVT5/N+B/4z8uNekc5xIaQGMXgtwvoYDzzw
DrMFJHuZNxJO5INTWb7vjBcXbYlap5kZasLl4atY2QY5IUbcXD49EIWGbTujVWBc
+LjW0kJTeB0NHvOJ1nHev625N0bAvkouAS129U55ITHFJAkIaJF2Rq2LEKoPr0yB
UsubWZsUg6qnFvku7cg/wmME3WuMnffITUKVRFwKx6SKPFYs7JvG5hg5gU5OTio+
89gHF4d+a6ozcKpKFwkYoQgF5fohSh0EmG+lWGXPu+bvZxILHgt5aB13WqbcSed9
SjfxpoGcTJ4s+70yfV/BtFgyF6NOqlF0jEIgD/f3HlynGBR9Muwd/uPCV3Je
=Iaz+
-----END PGP SIGNATURE-----
Signature policy: http://decoy.wox.org/~bmc/openpgp/policy.tex

--mYCpIKhGyMATD0i+--