RSA or DSA? That's the question

Werner Koch wk at
Thu Sep 6 12:35:22 CEST 2007

On Thu,  6 Sep 2007 11:26, noiano at said:

> I was thinking to create one rsa key and one subkey for encryption. What
> do you think? What do you advise?

If you want to be standard conform and your goal is best
interoperability you need to use DSA and Elgamal.  These are the MUST
algorithms in OpenPGP.

Regarding security, the first question you should ask yourself is what
parts of the system are weaker and thus easier to attack than the actual
keys.  With system I mean: The hardware (house, room, computer), the
operating system, the gadgets you use on your box, the desktop
environment, the other tools you are using, the mail program, the
compiler and last but not least gpg.  If you have convinced yourself
that breaking 1024 bit DSA is easier[1] than to attack one of the other
parts of the system, you should consider to use a longer key; probably
RSA but in some cases DSA will be a smarter choice for signatures.

What you finally implement depends on your threat model.  For example
you might ask yourself whether it is really required to keep your data
absolutely confidential for 10 and more years.  How valuable is this
data and much do you want to invest in protecting it?



[1] Note that if cryptographers tell you an algorithm is no any longer
secure (e.g. SHA-1), that does not mean you or anyone in the world is
able to break it now or in the next couple of years.  Even if it is
finally breakable the cost for attacking one key will be enormous and
thus this threat needs to be balanced with the value of the key.

Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list