[Q] DSA 1024-bit limit.

Werner Koch wk@gnupg.org
Thu May 15 14:46:02 2003

On Wed, 14 May 2003 17:25:08 -0400, Daniel Carrera said:

> Does RSA signing use the same hash algorithm?
> Is the security of SHA-256 believed to be comparable to 1024-bit ElGamal 
> (as the second component of DSA)?

As quite usual in cryptography: We don't know exactly.  We can only
guess.  SHA-256 is much newer than SHA-1 and thus not as well matured.
It is however believed to be strong enough and it increases the
possibilty of a birthday attack (which limits the useful length of
SHA-1 to 80 bits.  SHA-256 et al are required to match the
capabilities of AES.

> Since my key is encrypted in my hard drive, getting access to it should 
> not compromise my key, correct?
> So a hired burgler shouldn't do much good, right? (assuming I have a good 
> enough password of course).

It is unlikely that your passphrase is good enough to be compared
against a 1024 bit DSA key.  We are humans and must type them in.
Anyway, the three letter agencies usually visit your place two times:
to install a key logger and later to collect what it has gathered.

>> * a BIOS of your box or a clever CPU (think Transmeta) identifying
>> secret keys and posting them to a newsgroup.
>> * a rogue OS
>> * a trojan

> Doesn't the encryption of the key take care of these?

The CPU decrypts the key and thus at some point it is available in
plaintext.  A good passphrase in general gives you some time to detect
a compromised key and to distribute a revocation.  Trojans can easily
log all keystrokes.



  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi