key sizes: maximum size and shrinking
Nico Schottelius
nico-linux-gnupg at schottelius.org
Thu Aug 9 22:42:13 CEST 2007
Hello guys!
We are trying to write a chat protocol, which uses gpg (gpgme
especially) for encryption / signing. As it is an chat protocol, we try
to keep latency down.
As far as I can see the biggest packets we'll have are those containing
the key exchange (as others are only messages, transport protocol
metadata, ..., but no packet is > 1 KiB).
I did some tests (dirty notes attached) and it looks like the whole
packet is about 5KiB (which is pretty much):
4096-bit dsa-elgamal public key, binary: 1680 Bytes
+ Initial Key exchange metadata / data: 2 + 2 + 4 + 128 tp + 2 = 138 Bytes
= 3008 bytes for one inner packet, containing one transport protocol
+ n * 128 bytes nexthop specification, n == 8, => 1024 Bytes
testing showed 128 bytes are enough, see doc/packets/outer-draft1 for tests
+ encyption + signatur
= 4033 Bytes in test
==> ~ 5 KiB including possible bigger keys
That's really much, as we intend to have static packet sizes (indenpendent of content,
so external watchers cannot see which type of packet is sent) and
continues traffic (so one cannot determine if we send data or noise).
The first idea was to use a send interval of 250ms, but that would make
~20KiB/s + protocol overhead (transport protocols maybe mostly everything,
including. http, smtp, ftp, ..., everything that may transport bytes).
With this size we could only do a maximum of 2s intervals...
So my questions to you gnupg experts are:
- Is there a maximum size for an exported, non-armored public key?
=> if yes, we could use that as a base and pad the rest
- Are there any good (possibly gnupg / gpgme included) methods to shrink
the size of the exported public key?
- Or would you recommened using gzip/bzip2/lzma additionally?
As far as I've tested it, gzip and bzip2 are just adding header
overhead, so I assume gnupg already does some compression itself.
Thanks for any hint,
Nico
--
Think about Free and Open Source Software (FOSS).
http://nico.schottelius.org/documentations/foss/the-term-foss/
PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C
-------------- next part --------------
List of keys:
[20:54] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-keys
./dot-gpg/pubring.gpg
---------------------
pub 1024D/B9F52B24 2007-08-09
uid dsa-elgamal-4096bits (no at comment) <no at email>
sub 4096g/F6684B3A 2007-08-09
pub 1024D/477FAD1B 2007-08-09
uid dsa-elgamal-2048 (no at comment-key2) <no at email>
sub 2048g/5632130B 2007-08-09
pub 1024D/9C303CE6 2007-08-09
uid dsa-elgamal-4096-2 (and no further comments) <no at email-again>
sub 4096g/6BF7E5E9 2007-08-09
[21:08] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-secret-keys
./dot-gpg/secring.gpg
---------------------
sec 1024D/B9F52B24 2007-08-09
uid dsa-elgamal-4096bits (no at comment) <no at email>
ssb 4096g/F6684B3A 2007-08-09
sec 1024D/477FAD1B 2007-08-09
uid dsa-elgamal-2048 (no at comment-key2) <no at email>
ssb 2048g/5632130B 2007-08-09
sec 1024D/9C303CE6 2007-08-09
uid dsa-elgamal-4096-2 (and no further comments) <no at email-again>
ssb 4096g/6BF7E5E9 2007-08-09
--------------------------------------------------------------------------------
Exporting some keys:
# 4096 bits / my real key
[19:37] denkbrett:test% gpg -a --export 9885188C | wc -c
3473
# 4096 bits
pub 1024D/B9F52B24 2007-08-09
uid dsa-elgamal-4096bits (no at comment) <no at email>
sub 4096g/F6684B3A 2007-08-09
[20:33] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a | wc -c
2388
[20:37] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a B9F52B24 | wc -c
2388
[20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | wc -c
1680
# 2048
[20:35] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-keys 2048
pub 1024D/477FAD1B 2007-08-09
uid dsa-elgamal-2048 (no at comment-key2) <no at email>
sub 2048g/5632130B 2007-08-09
[20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a 477FAD1B | wc -c
1698
[20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export 477FAD1B | wc -c
1169
--------------------------------------------------------------------------------
Sign exported key
--local-user name
-u Use name as the key to sign with. Note that this option overrides --default-key
--default-key name
[21:09] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 -a | gpg --homedir ./dot-gpg/ -u B9F52B24 -s -a | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4723
[21:09] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 -s -a | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
2505
[21:10] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 -s | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
1777
[21:15] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 --armor | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
3983
[21:17] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
2870
--------------------------------------------------------------------------------
Plus noise:
[21:53] denkbrett:gpg-tests% (cat 512bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
3380
[21:53] denkbrett:gpg-tests% (cat 512bytes 512bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
3424
[21:55] denkbrett:gpg-tests% (cat 4096bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
6968
[22:05] denkbrett:gpg-tests% (cat 2048bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4920
[22:13] denkbrett:gpg-tests% (cat 1536bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4406
# test: --export-options export-minimal
# seems to be minimal anyway :-)
[22:13] denkbrett:gpg-tests% (cat 1536bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4406
# Only 1162 bytes
[22:23] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4033
--------------------------------------------------------------------------------
Compression: After encrypt/sign:
[22:31] denkbrett:gpg-tests% cat 1162bytes+pubkey | bzip2 -9 > 1162bytes+pubkey.bz2
[22:31] denkbrett:gpg-tests% cat 1162bytes+pubkey | gzip -9 > 1162bytes+pubkey.gz
-rw------- 1 nico nico 4033 2007-08-09 22:29 1162bytes+pubkey
-rw------- 1 nico nico 4524 2007-08-09 22:30 1162bytes+pubkey.bz2
-rw------- 1 nico nico 4056 2007-08-09 22:31 1162bytes+pubkey.gz
Compression: Of the public key only:
[22:31] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal | bzip2 -9) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4431
[22:32] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal | gzip -9) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c
You need a passphrase to unlock the secret key for
user: "dsa-elgamal-4096bits (no at comment) <no at email>"
1024-bit DSA key, ID B9F52B24, created 2007-08-09
4056
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070809/a2b5ea54/attachment-0001.pgp
More information about the Gnupg-users
mailing list