Strongest Key, Hash, and Cypher Algorithms

Wesley Tabadore wesley.tabadore at gmail.com
Sat Feb 12 23:26:57 CET 2005 

> right. when you select (1) and generate a DSA/elgamal key, you're creating
> a DSA primary (signing) key with an elgamal (encryption) subkey.
> 
> if you generate an RSA key you have to add subkeys after the primary is
> generated.

If when I create the RSA key I set the capabilities to both Sign and
Encrypt, do I still need to add subkeys after creating the RSA key? 
What are the benefits if any?

I tried using the key to both sign and encrypt and it seems to work.

Thanks,

Wes


On Thu, 10 Feb 2005 01:29:37 -0500 (EST), Atom Smasher <atom at smasher.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On Wed, 9 Feb 2005, Wesley Tabadore wrote:
> 
> > When generating keys, these are the only options:
> >
> >   (1) DSA and Elgamal (default)
> >   (2) DSA (sign only)
> >   (5) RSA (sign only)
> >
> > However, using the --expert switch, additional options are available as well:
> >
> >   (3) DSA (set your own capabilities)
> >   (7) RSA (set your own capabilities)
> >
> > If I chose #7 (RSA), I can choose whether to set the "capabilities of
> > the key as any or all of: Sign Encrypt Authenticate.
> >
> > First, why is this considered an "expert" option?  Second,
> > Authenticate is off by default when I chose #7, what is the
> > Authenticate flag used for and is there a specific reason it is off by
> > default?  Is an RSA key considered to be any more secure than a DSA
> > key?
> ===============
> 
> these are mostly questions for dave & werner. i think the expert options
> are hidden because most people never use/need them, and hiding them makes
> it easier for noobs who will use the defaults anyway.
> 
> the authenticate capability is new, and isn't really used anywhere that i
> know of. one of the things that it may be used for in the future is SSH
> authentication.
> 
> it is generally considered that DSA (and elgamal) has "more security per
> bit" than RSA, but not by a considerable margin. between a 1024 bit RSA
> key and a 1024 bit DSA key, they're both just as hard to break (for all
> practical purposes). so, since DSA is limited to 1024 bits and RSA
> isn't... well, do the math...
> 
> 
> > Lastly, when I issue a --list-keys command, after generating an RSA
> > key (using --expert), I see the following:
> >
> >             pub   4096R/D0915403 2005-02-09
> >             uid                  Wesley Tabadore <wesley.tabadore at gmail.com>
> >
> > However, after generating a DSA and Elgamal key, and then issuing the
> > --list-keys command, I get:
> >
> >             pub   1024D/A4FD0FD9 2005-02-03
> >             uid                  Wesley Tabadore <wesley.tabadore at gmail.com>
> >             sub   2048g/715F1580 2005-02-03
> >
> > There appears to be an extra key (sub).  Am I right in thiking that
> > the 1024-bit key above is for signing and the 2048-bit key is for
> > encryption?  If not, what are they for?
> ================
> 
> right. when you select (1) and generate a DSA/elgamal key, you're creating
> a DSA primary (signing) key with an elgamal (encryption) subkey.
> 
> if you generate an RSA key you have to add subkeys after the primary is
> generated.
> 
> you can use "pgpdump" to look inside a key and see what it's made of. that
> helped me greatly in understanding how this all works.
> 
> - --
>         ...atom
> 
>  _________________________________________
>  PGP key - http://atom.smasher.org/pgp.txt
>  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
>  -------------------------------------------------
> 
>        "Men occasionally stumble over the truth,
>         but most of them pick themselves up and
>         hurry off as if nothing had happened."
>                -- Winston Churchill
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (FreeBSD)
> Comment: What is this gibberish?
> Comment: http://atom.smasher.org/links/#digital_signatures
> 
> iQEcBAEBCAAGBQJCCv9WAAoJEAx/d+cTpVcic1kH/2NF9Vdemrc8WIJ9FXLkniGP
> EQbtS8qPAdjiHaxY5MxfhG1VptMtgwC8KsapvLfp9ezbaYOLBIHcUrmhmpNm0ExZ
> floseIiSPZ1UEJE2dbC3IpsvMQzVKs5kzw5fPi3Vm3oPxKnIQlO0K1E6lhERn/nC
> iUNTmojLH/KY/GZlhnZiBWrgggvqebTcizn1OBaiSrimwSzyAlYpWOKUCQGWh/6n
> Q1WGrGSWbPcayit5ZPli+doNHi5VWuGT3yJ3Y1Xtgpd+OE28xhAMyj9H1a7S2HxY
> kFZ8tbDJuV0tLmtx3euPg02Qu6KtNiA0rEbrm4zG4SNo/U16rSwOv1xqcHo65C0=
> =GSSv
> -----END PGP SIGNATURE-----
>

More information about the Gnupg-users mailing list