RSA keys for encryption and in general DSA/RSA/ElGamal-keypairs
Atom 'Smasher'
atom at suspicious.org
Wed Jun 16 09:22:44 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Jun 2004, Ulrich Schneider wrote:
> Why are DSA-Keys always generated with only 1024 bits even when I tell
> gpg that the key has to be generated with 2048 bits.
=================
DSA is the "digital signature algorithm", DSS is the "digital signature
standard" (both specified in FIPS-186). the ~algorithm~ can be used with
any size hash or key, but the ~standard~ uses a 160 bit hash (SHA1) with a
maximum key size of 1024. it's generally believed that a key larger than
1024 bits used to sign a 160 bit hash would be a waste of bits.
there are some arguments against this logic, but it's already past my
bedtime ;)
> And why are there different keypairs for signing and encryption? And why
> are these keypairs from different kind (DSA and ElGamal). Why isn`t
> there one keypair used for signing and encryption?
=================
as i understand it, this is largely a historical artifact. RSA performs
reasonably well for both signing and encryption, but until recently (2000)
it was not in the public domain. public domain algorithms (such as DSA and
ElGamal) allowed public key crypto to be used in "free" applications
before the RSA patent expired, and they're still with us today.
the ~other~ algorithms mostly tend to be better suited either for
encryption or signing.
you ~can~ use a single RSA key for both encryption and signing, but there
are advantages to having a "primary" key for signing, and one or more
"subkeys" for encryption and/or signing.
> gnupg says the following:
> Please select what kind of key you want:
> (1) DSA and ElGamal (default)
> (2) DSA (sign only)
> (4) RSA (sign only)
>
> So as you can see here, even RSA is used for signing only. Why is there
> no possibility to use RSA keypairs for encryption?
=================
if you use this:
$ gpg --expert --gen-key
you will have an option to create an RSA key that can be used for both
signing and encryption:
(6) RSA (sign and encrypt)
you can use that all by itself as a key, but i'd recommend against it.
that's what i use as my ~primary~ key: i have a DSA signing subkey and an
ElGamal encryption subkey.
> The GNU Privacy Handbook says:
> "GnuPG is able to create several different types of keypairs, but a
> primary key must be capable of making signatures. There are therefore
> only three options. Option 1 actually creates two keypairs. A DSA
> keypair is the primary keypair usable only for making signatures. An
> ElGamal subordinate keypair is also created for encryption. Option 2 is
> similar but creates only a DSA keypair. Option 4[1] creates a single
> ElGamal keypair usable for both making signatures and performing
> encryption. In all cases it is possible to later add additional subkeys
> for encryption and signing. For most users the default option is fine.
================
out of date documentation.... ElGamal is no longer used for signatures.
> You must also choose a key size. The size of a DSA key must be between
> 512 and 1024 bits, and an ElGamal key may be of any size. GnuPG,
> however, requires that keys be no smaller than 768 bits. Therefore, if
> Option 1 was chosen and you choose a keysize larger than 1024 bits, the
> ElGamal key will have the requested size, but the DSA key will be 1024
> bits."
===================
768 is the smallest DSA key you can create now, but there hardly any
reason to use anything less than 1024.
> If there is alway two public keys -one for signing and one for
> encryption- the question arise for which key is the fingerprint
> computed? I guess for the main-key.
====================
you don't ~need~ to have a separate signing and encryption key, but it's a
good idea. you can have an RSA key that does both encryption and signing
(with no subkeys) or you can have a sign-only key (with no encryption
subkeys).
and yes, the "key fingerprint" is that of the primary key.
> But what`s going on with the subkey? Is there no need to check the
> fingerprint of the subkey? Or is it checked indirectly with the
> fingerprint of the main key? How does this work?
=====================
a subkey is "bound", or associated with, a particular primary key. if i
tell you my "key fingerprint" is "1234", then my subkey(s) must be signed
by the primary key (1234).
that implies (but doesn't actually prove) ownership of the subkey(s).
if you feel the need, you can check subkey fingerprints using this:
$ gpg --fingerprint --fingerprint {key id}
> I also have another question. Is there a possibility to show a key in
> human readable form. Best output I produced is a gpg --export --armor
> <EMAILADRESS>. A key consists of an exponent and a modulus. Is there a
> way to show these values?
=======================
pgpdump: PGP packet visualizer
pgpdump will let you look into the heart and soul of OpenPGP data,
including keys. if you want to see the exponent, modulus and other fun
math stuff do something like this:
$ gpg --export {key id} | pgpdump -i
and pipe that into a pager (more, less, most).
> Another problem:
> I created a 2048 bit RSA keypair with gpg. When I try to encrypt a file
> for this key, gnupg tells me:
> gpg: 0x149881408FAB041C: skipped: unusable public key
> gpg: <FILE>: encryption failed: unusable public key
>
> I also have another 2048 bit RSA key in my keyring. Encryption for this
> key works. How could that be? Sometimes it works, sometimes not? It
> probably has something to to, by which program the key was generated.
> Here are the comments taken from the public key block.
=====================
in order for an RSA key to work for both signing and encryption, you have
to create it as a "sign and encrypt" RSA key, as described above.
using pgpdump, a sign-only RSA key will say:
Flag - This key may be used to certify other keys
Flag - This key may be used to sign data
a sign and encrypt RSA key will _also_ say:
Flag - This key may be used to encrypt communications
Flag - This key may be used to encrypt storage
> Probably I told you too many questions, but I`m relly interested in
> understanding, how the whole thing works.
====================
i know how it is... i'm new to pgp/gpg myself. i've only been using it for
less than a year, but i started out by reading EVERYTHING i could find on
the topic, twice (and asking some pretty stupid questions).
after playing and experimenting with it, i've become very comfortable with
it's inner workings.
this is a good list for asking questions...
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Cryptography is like literacy in the Dark Ages. Infinitely
potent, for good and ill... yet basically an intellectual
construct, an idea, which by its nature will resist efforts
to restrict it to bureaucrats and others who deem only
themselves worthy of such Privilege."
-- Vin McLellan,
A Thinking Man's Creed for Crypto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iEYEARECAAYFAkDP9UoACgkQnCgLvz19QeMTxgCfRM6XykiuRz4jvgddyYhnX3m0
lpkAn2lV9XYLiUsyMdtY0pgSwfPDsdkR
=PAtl
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list