RSA keys for encryption and in general DSA/RSA/ElGamal-keypairs

Ulrich Schneider lists at ulrichschneider.de
Wed Jun 16 07:53:59 CEST 2004


Hello everybody,

I`m new to PGP/gnupg. Some questions I have, can not be answered from
the www.gnupg.org FAQ`s and www.google.de. So probably you could help
me. That would be great!

Why are DSA-Keys always generated with only 1024 bits even when I tell
gpg that the key has to be generated with 2048 bits. And why are there
different keypairs for signing and encryption? And why are these
keypairs from different kind (DSA and ElGamal). Why isn`t there one
keypair used for signing and encryption?

gnupg says the following:
Please select what kind of key you want:
    (1) DSA and ElGamal (default)
    (2) DSA (sign only)
    (4) RSA (sign only)

So as you can see here, even RSA is used for signing only. Why is there
no possibility to use RSA keypairs for encryption?

The GNU Privacy Handbook says:
"GnuPG is able to create several different types of keypairs, but a
primary key must be capable of making signatures. There are therefore
only three options. Option 1 actually creates two keypairs. A DSA
keypair is the primary keypair usable only for making signatures. An
ElGamal subordinate keypair is also created for encryption. Option 2 is
similar but creates only a DSA keypair. Option 4[1] creates a single
ElGamal keypair usable for both making signatures and performing
encryption. In all cases it is possible to later add additional subkeys
for encryption and signing. For most users the default option is fine.

You must also choose a key size. The size of a DSA key must be between
512 and 1024 bits, and an ElGamal key may be of any size. GnuPG,
however, requires that keys be no smaller than 768 bits. Therefore, if
Option 1 was chosen and you choose a keysize larger than 1024 bits, the
ElGamal key will have the requested size, but the DSA key will be 1024
bits."

If there is alway two public keys -one for signing and one for
encryption- the question arise for which key is the fingerprint
computed? I guess for the main-key. But what`s going on with the subkey?
Is there no need to check the fingerprint of the subkey? Or is it
checked indirectly with the fingerprint of the main key? How does this work?

I also have another question. Is there a possibility to show a key in
human readable form. Best output I produced is a gpg --export --armor
<EMAILADRESS>. A key consists of an exponent and a modulus. Is there a
way to show these values?


Another problem:
I created a 2048 bit RSA keypair with gpg. When I try to encrypt a file
for this key, gnupg tells me:
gpg: 0x149881408FAB041C: skipped: unusable public key
gpg: <FILE>: encryption failed: unusable public key

I also have another 2048 bit RSA key in my keyring. Encryption for this
key works. How could that be? Sometimes it works, sometimes not? It
probably has something to to, by which program the key was generated.
Here are the comments taken from the public key block.

1. key (encryption doesn`t work)
Version: GnuPG v1.2.4 (MingW32) - GPGshell v3.10

2. key (encryption works)
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>



Probably I told you too many questions, but I`m relly interested in
understanding, how the whole thing works.

Best regards,
Ulrich Schneider





More information about the Gnupg-users mailing list