RSA or DSA? That's the question
noiano at x-privat.org
Thu Sep 6 21:17:17 CEST 2007
Robert J. Hansen wrote:
> Werner Koch wrote:
>> I have not heard of a SHA-1 collision yet. IIRC it still takes
>> something in the range of 2^60.
> Rechberger and Cannière had some interesting things at CRYPTO 2006--I
> don't recall the details, but it sounded like a partial preimage attack,
> not just a simple collision. They only demonstrated it against SHA-1
> reduced to 64 rounds, but drew a pretty clear roadmap for how to extend
> it to 80. I'm expecting more results soon.
> SHA-1 is facing some scary times.
>> symmetric and public key encryption. OTOH, the improvement in breaking
>> public key schemes are foreseeable for quite some time now and thus we
>> can estimate how long it will take to break an n-bit key.
> I don't know I'd agree with that. In the early '90s when I first
> started using PGP 2.6, a 1024-bit key was considered to be ridiculous
> overkill. Most keys of that era were only 512 bits, and were considered
> of suitable strength for a great many years. A generation prior to
> that, Ron Rivest's original late-1970s predictions on necessary key
> lengths turned out to be wildly optimistic.
> We've got two full generations of crypto prophets who have badly
> overestimated the long-term security of algorithms and badly
> underestimated the unpredictable advances in computing power. It seems
> reasonable to me to ask why the current round of prophecy should be
> believed, given the failures of the past.
> When Schneier wrote _Applied Cryptography_ in 1992, the Chinese Lottery
> Attack was speculative fiction at best. Today, distributed.net is doing
> them every single day. It makes you think about what William Gibson
> said--"the future is already here, it's just unevenly distributed."
First off all thanks for your answers, I have now clearer ideas :-). For
what concerns SHA-1 I read that, thanks to the collisions, an attacker
can modify the message but the signature verification well be ok. I
think that's really hard to do right? By the way I am thinking on
creating a rsa key pair (with rsa subkey) as I am willing to buy a smart
card kit. However you told the very standard algorithm is DSA/Elgamail
so what should I do? Create two key pair? A rsa one and a dsa/elgamail one?
One more thing: the key expiry. Do you think that setting the expiry
date after a year or two is a good choice? Or is better not to set a
expiry date and revoke the key when necessary?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070906/b1514f98/attachment-0001.pgp
More information about the Gnupg-users