Questions about generating keys

Oskar L. oskar at rbgi.net
Thu Aug 23 04:11:35 CEST 2007 

Thanks again for all your answers, I'm really interested in this kind of
stuff.


Robert J. Hansen wrote (regarding "DSA2" keys):
> The latest versions of PGP support them.

That's good news. Can it also create them? But there are probably still
many using older versions. I know some who refuse to update from 6.5.8.


David Shaw wrote:
> Now that DSA2 is here, there aren't really that many benefits to RSA
> (and I say this as someone with an RSA key).  In theory, DSA is better
> because it is required by OpenPGP: you won't be able to find any
> OpenPGP implementation that doesn't handle it.  This is not true of
> RSA (it's legal for a program to reject it just because it is RSA).
> In practice, that doesn't happen much because the "big two", PGP and
> GPG, both handle RSA.
>
> So DSA is the default because the OpenPGP standard requires it to be
> present, and does not require the same of RSA.  The reasons behind
> this were mainly legal stuff and not relevant any longer.

I wasn't aware of this, thanks for the info!


David Shaw wrote:
> This is actually not completely true.  DSA makes signatures faster
> than RSA.  RSA verifies signatures faster than DSA.  Since most
> signatures are verified more often than they are generated, this is
> generally stated as RSA being faster, but in OpenPGP usage, this is
> almost always irrelevant.  Unless you're issuing thousands of
> signatures a second, the time needed to read the files, and do the
> hashing is far more significant.

Robert J. Hansen wrote:
> If you are repeatedly encrypting and/or decrypting enormous files,
> then yes, this is potentially an issue.  Otherwise, there is no
> practical difference in speed you will notice.

Ok, so RSA isn't always significantly faster, as I thought it was. I had
read somewhere that it was, (probably on this list) and my own testing
with my 4GB backup files showed RSA to be notably faster.


David Shaw wrote:
> Same here.  DSA2 supports larger hashes.

So would it be fair to sum up the differences like this:
- for signing DSA is faster, for verification RSA is faster,
  but there's not much of a difference.
- OpenPGP implementations must support DSA, but supporting RSA
  is optional, but both gpg and PGP support RSA, so there's
  not much of a differance.
- original DSA limited to 1024 bit keys and 160 bit hashes.
- DSA signatures are smaller.
- updated DSA, aka "DSA2", equal to RSA when it comes to the
  lenghts of keys and hashes.
- Of PGP, only the newest version support DSA2 keys.
- RSA has a hash firewall

If there are no other significant differences that I have missed, since I
want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a
minus for not being required by OpenPGP, but only a small one since it is
supported anyway. DSA2 gets minus points both for lack of support in older
versions of PGP, and for lack of a hash firewall. RSA still seems better
to me, but not by as much as I previously thought.


Robert J. Hansen wrote:
> The OpenPGP specification came out in the late nineties.  RSA did
> not enter the public domain until August of 2000.  The IETF
> refused--rightly so--to make a patented algorithm the default
> OpenPGP algorithm.

So they accepted RSA into the standard, while it was still restricted by
patents, as long as it wasn't made the default? I took for granted that an
open standard like OpenPGP would not have accepted any patented stuff into
the standard, and that RSA was added later, after the patents ran out. I'm
a bit sad to find out I was wrong, I was under the impression that OpenPGP
only allowed completely free and open algorithms.

If the IETF refused to make RSA the default, does that mean that the
people behind OpenPGP originally wanted it to be the default, but then had
to change it to DSA?


> Relying on the 'highly effective" Security via Obscurity model, huh?
>
> There's no guarantee that your key won't end up on a keyserver nor is
> there one
> that your "private" email address won't leak into the public,

I would not say that just because someone doesn't willingly make their
address available to spammers makes them a believer in security through
obscurity. Full disclosure is not a good strategy when it comes to
personal information like e-mail addresses, credit card numbers etc.

Saying that going through a little trouble to greatly decrease the risk of
something bad happening is not worth it because it won't make you 100%
secure makes no sense. That's like saying that you can't get 100%
protection from dying in a car crash, so therefore don't bother using a
seatbelt.

For example, this list has a public archive with the posters e-mail
addresses, so spammers can easily get them. Having a separate account for
e-mail lists that deletes everything not coming from the lists is not much
trouble, but it makes it a lot harder for the spammers to get your
address, if it is not available anywhere on the web. Spammers also find
addresses by sending out mail to common names at different domains, to see
if they bounce back or not. So mary at gmail.com will get spam even if she
never gave out her address to anyone. Adding a number to the user name is
little trouble for you, but makes things much more difficult for the
spammers.

Oskar

More information about the Gnupg-users mailing list