Use other hash than SHA-1
David Shaw
dshaw at jabberwocky.com
Tue May 5 04:44:12 CEST 2009
On May 4, 2009, at 11:21 AM, Raimar Sandner wrote:
> On Monday 04 May 2009 04:56:24 David Shaw wrote:
>
>> If you want a DSA2 key:
>>
>> gpg --enable-dsa2 --gen-key
>>
>> Select option 1, and enter 3072 for the DSA key size.
>
>
>> If you want an RSA key:
>>
>> gpg --cert-digest-algo sha256 --gen-key
>>
>> Select option 5. Enter a RSA key size. The default (2048) is fine.
>
> Why do you recommend the DSA2 signing key to be larger than the RSA
> signing
> key?
Heh. It's because of fussy internal parameter settings. DSA2 keys
can use different hashes, and the hashes they use are tied to the key
size. There is some looseness in the parameters, but in GPG it
basically it boils down to this:
If the key is over 2048 bits, use a 256-bit hash.
If the key is over 1024 bits, use a 224-bit hash.
Otherwise, use a 160-bit hash.
I couldn't specify the DSA key to be 2048 bits long to match the RSA
key because that would have given it a 224-bit hash instead of the
promised 256-bit hash.
David
More information about the Gnupg-users
mailing list