[Q] DSA 1024-bit limit.

[Werner Koch]

On Wed, 14 May 2003 17:25:08 -0400, Daniel Carrera said:

> Does RSA signing use the same hash algorithm?
> Is the security of SHA-256 believed to be comparable to 1024-bit ElGamal 
> (as the second component of DSA)?

As quite usual in cryptography: We don't know exactly.  We can only
guess.  SHA-256 is much newer than SHA-1 and thus not as well matured.
It is however believed to be strong enough and it increases the
possibilty of a birthday attack (which limits the useful length of
SHA-1 to 80 bits.  SHA-256 et al are required to match the
capabilities of AES.

> Since my key is encrypted in my hard drive, getting access to it should 
> not compromise my key, correct?
> So a hired burgler shouldn't do much good, right? (assuming I have a good 
> enough password of course).

It is unlikely that your passphrase is good enough to be compared
against a 1024 bit DSA key.  We are humans and must type them in.
Anyway, the three letter agencies usually visit your place two times:
to install a key logger and later to collect what it has gathered.

>> * a BIOS of your box or a clever CPU (think Transmeta) identifying
>> secret keys and posting them to a newsgroup.
>> 
>> * a rogue OS
>> 
>> * a trojan

> Doesn't the encryption of the key take care of these?

The CPU decrypts the key and thus at some point it is available in
plaintext.  A good passphrase in general gives you some time to detect
a compromised key and to distribute a revocation.  Trojans can easily
log all keystrokes.


Shalom-Salam,

   Werner

-- 
  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi