RSA keys for encryption and in general DSA/RSA/ElGamal-keypairs

Atom 'Smasher' atom at suspicious.org
Wed Jun 16 09:22:44 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 Jun 2004, Ulrich Schneider wrote:


> Why are DSA-Keys always generated with only 1024 bits even when I tell 
> gpg that the key has to be generated with 2048 bits.
=================

DSA is the "digital signature algorithm", DSS is the "digital signature 
standard" (both specified in FIPS-186). the ~algorithm~ can be used with 
any size hash or key, but the ~standard~ uses a 160 bit hash (SHA1) with a 
maximum key size of 1024. it's generally believed that a key larger than 
1024 bits used to sign a 160 bit hash would be a waste of bits.

there are some arguments against this logic, but it's already past my 
bedtime ;)


> And why are there different keypairs for signing and encryption? And why 
> are these keypairs from different kind (DSA and ElGamal). Why isn`t 
> there one keypair used for signing and encryption?
=================

as i understand it, this is largely a historical artifact. RSA performs 
reasonably well for both signing and encryption, but until recently (2000) 
it was not in the public domain. public domain algorithms (such as DSA and 
ElGamal) allowed public key crypto to be used in "free" applications 
before the RSA patent expired, and they're still with us today.

the ~other~ algorithms mostly tend to be better suited either for 
encryption or signing.

you ~can~ use a single RSA key for both encryption and signing, but there 
are advantages to having a "primary" key for signing, and one or more 
"subkeys" for encryption and/or signing.


> gnupg says the following:
> Please select what kind of key you want:
>   (1) DSA and ElGamal (default)
>   (2) DSA (sign only)
>   (4) RSA (sign only)
>
> So as you can see here, even RSA is used for signing only. Why is there
> no possibility to use RSA keypairs for encryption?
=================

if you use this:
 	$ gpg --expert --gen-key

you will have an option to create an RSA key that can be used for both 
signing and encryption:
 	(6) RSA (sign and encrypt)

you can use that all by itself as a key, but i'd recommend against it. 
that's what i use as my ~primary~ key: i have a DSA signing subkey and an 
ElGamal encryption subkey.



> The GNU Privacy Handbook says:
> "GnuPG is able to create several different types of keypairs, but a
> primary key must be capable of making signatures. There are therefore
> only three options. Option 1 actually creates two keypairs. A DSA
> keypair is the primary keypair usable only for making signatures. An
> ElGamal subordinate keypair is also created for encryption. Option 2 is
> similar but creates only a DSA keypair. Option 4[1] creates a single
> ElGamal keypair usable for both making signatures and performing
> encryption. In all cases it is possible to later add additional subkeys
> for encryption and signing. For most users the default option is fine.
================

out of date documentation.... ElGamal is no longer used for signatures.


> You must also choose a key size. The size of a DSA key must be between
> 512 and 1024 bits, and an ElGamal key may be of any size. GnuPG,
> however, requires that keys be no smaller than 768 bits. Therefore, if
> Option 1 was chosen and you choose a keysize larger than 1024 bits, the
> ElGamal key will have the requested size, but the DSA key will be 1024
> bits."
===================

768 is the smallest DSA key you can create now, but there hardly any 
reason to use anything less than 1024.


> If there is alway two public keys -one for signing and one for
> encryption- the question arise for which key is the fingerprint
> computed? I guess for the main-key.
====================

you don't ~need~ to have a separate signing and encryption key, but it's a 
good idea. you can have an RSA key that does both encryption and signing 
(with no subkeys) or you can have a sign-only key (with no encryption 
subkeys).

and yes, the "key fingerprint" is that of the primary key.


> But what`s going on with the subkey? Is there no need to check the 
> fingerprint of the subkey? Or is it checked indirectly with the 
> fingerprint of the main key? How does this work?
=====================

a subkey is "bound", or associated with, a particular primary key. if i 
tell you my "key fingerprint" is "1234", then my subkey(s) must be signed 
by the primary key (1234).

that implies (but doesn't actually prove) ownership of the subkey(s).

if you feel the need, you can check subkey fingerprints using this:
 	$ gpg --fingerprint --fingerprint {key id}



> I also have another question. Is there a possibility to show a key in
> human readable form. Best output I produced is a gpg --export --armor
> <EMAILADRESS>. A key consists of an exponent and a modulus. Is there a
> way to show these values?
=======================

pgpdump: PGP packet visualizer

pgpdump will let you look into the heart and soul of OpenPGP data, 
including keys. if you want to see the exponent, modulus and other fun 
math stuff do something like this:
 	$ gpg --export {key id} | pgpdump -i

and pipe that into a pager (more, less, most).


> Another problem:
> I created a 2048 bit RSA keypair with gpg. When I try to encrypt a file
> for this key, gnupg tells me:
> gpg: 0x149881408FAB041C: skipped: unusable public key
> gpg: <FILE>: encryption failed: unusable public key
>
> I also have another 2048 bit RSA key in my keyring. Encryption for this
> key works. How could that be? Sometimes it works, sometimes not? It
> probably has something to to, by which program the key was generated.
> Here are the comments taken from the public key block.
=====================

in order for an RSA key to work for both signing and encryption, you have 
to create it as a "sign and encrypt" RSA key, as described above.

using pgpdump, a sign-only RSA key will say:
                 Flag - This key may be used to certify other keys
                 Flag - This key may be used to sign data
a sign and encrypt RSA key will _also_ say:
                 Flag - This key may be used to encrypt communications
                 Flag - This key may be used to encrypt storage


> Probably I told you too many questions, but I`m relly interested in
> understanding, how the whole thing works.
====================

i know how it is... i'm new to pgp/gpg myself. i've only been using it for 
less than a year, but i started out by reading EVERYTHING i could find on 
the topic, twice (and asking some pretty stupid questions).

after playing and experimenting with it, i've become very comfortable with 
it's inner workings.

this is a good list for asking questions...



  	...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Cryptography is like literacy in the Dark Ages. Infinitely
 	 potent, for good and ill... yet basically an intellectual
 	 construct, an idea, which by its nature will resist efforts
 	 to restrict it to bureaucrats and others who deem only
 	 themselves worthy of such Privilege."
 		-- Vin McLellan,
 		A Thinking Man's Creed for Crypto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iEYEARECAAYFAkDP9UoACgkQnCgLvz19QeMTxgCfRM6XykiuRz4jvgddyYhnX3m0
lpkAn2lV9XYLiUsyMdtY0pgSwfPDsdkR
=PAtl
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list