Key practice

Robert J. Hansen rjh at
Sun Nov 15 02:06:52 CET 2009

David Alexander Russell wrote:
> Essentially what I read was that the default 1024-bit DSA key isn't
> strong enough, due to some flaw in SHA-1 which is the hash used for that
> size of DSA (that's as much detail as I absorbed I'm afraid)

Don't believe the hype.

I don't like DSA-1024, for a lot of reasons similar to the ones in the
website you linked.  However, there's a big difference between saying "I
don't like DSA-1024," and "DSA-1024 is insecure and shouldn't be used."

At present, it appears that breaking DSA-1024 is within the realm of
plausibility for ridiculously well-equipped adversaries who are willing
to spend astronomically absurd sums on breaking your key.  Some people
think this means "DSA-1024 is broken, don't use it."  This seems to be
pretty ignorant of history.

During the Cold War, the NSA spent absurd amounts of money designing
beautiful, elegant ciphers, and training very skilled cipher clerks.
The KGB spent small amounts of money on beautiful, elegant women and
sending them to these lonely, far-from-home cipher clerks.  You can
figure out who was in the habit of winning those games of Spy-Vs.-Spy.

The moral of the story: no one with two brain cells to rub together is
going to attack DSA-1024 cryptanalytically.  Not now, and not for the
reasonable future.  It's going to be much, much faster and cheaper to
use other kinds of attacks, attacks which are just as useful against
RSA-4096 as DSA-1024.

More information about the Gnupg-users mailing list