gpg rejects SHA224 with DSA-2048
David Shaw
dshaw at jabberwocky.com
Mon Nov 9 15:53:45 CET 2009
On Nov 9, 2009, at 8:20 AM, Kevin Kammer wrote:
> On Mon, Nov 09, 2009 at 11:52:48AM +0100 Also sprach Werner Koch:
>> On Mon, 9 Nov 2009 04:17, rjh at sixdemonbag.org said:
>>
>>> When did this changeover take place, and is there any way to get
>>> the old
>>> behavior back?
>>
>> On 2009-07-09; that is since 1.4.10 / 2.0.13. There is no option to
>> change it back. The code in g10/keygen.c reads:
>>
>> /*
>> Figure out a q size based on the key size. FIPS 180-3 says:
>>
>> L = 1024, N = 160
>> L = 2048, N = 224
>> L = 2048, N = 256
>> L = 3072, N = 256
>>
>> 2048/256 is an odd pair since there is also a 2048/224 and
>> 3072/256. Matching sizes is not a very exact science.
>>
>> We'll do 256 qbits for nbits over 2047, 224 for nbits over 1024
>> but less than 2048, and 160 for 1024 (DSA1).
>> */
>>
>> if(nbits>2047)
>> qbits=256;
>> else if(nbits>1024)
>> qbits=224;
>> else
>> qbits=160;
>>
>
> I imagine it would not be terribly difficult to rewrite keygen.c to
> offer the option of qbits=224 for nbits==2048, offered at key
> generation
> time (likely with the --expert flag set), but it would be a non-
> trivial
> change for a very questionable benefit.
Very questionable, indeed. There are a number of places where the
various standards that comprise OpenPGP, and the OpenPGP standard
itself, give the implementor leeway to pick path A or B. Each
additional line of code to implement changes to accommodate stuff like
this adds testing time, adds potential for bugs, and takes away time
from more useful things. IT department rules don't always make sense,
but you can't make a product like GPG in constant fear that some
hypothetical IT department will take offense at some particular
obscure detail in it (a detail, again, that is correct as per the DSS
and OpenPGP specs). If that IT department became non-hypothetical, it
might be worth looking at.
In any event, that hypothetical IT department will find it rather hard
to use OpenPGP at all - offhand, I can't think of any current OpenPGP
product that supports DSA over 1024 bits that doesn't use a 256-bit q
for a 2048-bit key.
David
More information about the Gnupg-users
mailing list