david at systemoverlord.com
Sat Dec 11 03:16:56 CET 2010
I appreciate everyone's feedback on this matter. Comments/questions
On Fri, Dec 10, 2010 at 9:41 AM, Robert J. Hansen <rjh at sixdemonbag.org>wrote:
> On 12/9/2010 11:08 PM, David Tomaschik wrote:
> > I feel bad for the "litter" this introduces to the keyservers.
> Don't. :) The keyservers don't have a problem with this litter. I
> wish people showed more care with their certificates, but that's because
> I get too many "I forgot my passphrase, help!" emails, not because I
> think the keyserver network is getting clogged.
Only my oldest key (ca. 2000) is still in the wild, with a lost private
key. Many lessons were learned from that.
> > I currently have a 4096-bit RSA sign/encrypt keypair with no subkeys. I
> > believe, but am not certain, that it was generated with SHA1 hashes.
> > (Is there a way I can check?) This keypair was generated in May of this
> > year.
> Well, you have one subkey, it's just that the subkey is capable of both
> signing and encryption. You don't have separate subkeys for separate
> tasks, if I understand you correctly. Some people think this is a bad
> idea, since if you're compelled to produce an encryption key to the
> authorities (so they can decrypt an email sent to you) you've also
> provided them with your signature key (so they can now impersonate you).
Are there any disadvantages to distinct signature & encryption keys? Seems
like there's benefit with little cost (other than a bigger keyring). I'm
currently considering generating an offline-only master key and using that
to sign other keys. Some of the other threads in the archives seemed to
> > What is the best way to transition my email address? Add a new UID and
> > revoke the old? Should a new keypair be generated? What is the
> > conventional wisdom on the strength of RSA-4096?
> Add a new UID and revoke the old. You don't need to generate a new
> certificate. RSA-4K is, IMO, phenomenal overkill for the vast majority
> of users. Breaking RSA-2K is believed comparable in difficulty to
> breaking 3DES, and that prospect is ... let's just say "implausible."
> RSA-3K is roughly comparable to breaking AES-128. RSA-4K is not very
> much harder than that. Given all this, I really don't see any point in
> going past RSA-2K. Adding another 2,000 bits to the key in order to get
> about another 20 bits of symmetric-key equivalent just strikes me as bad
> > If a new keypair is generated, what length would be sufficient for a
> > decent (10+ year, preferrably 20+) margin of safety? I know that there
> > may be unforeseen advances in computing that allow for keys to be broken
> > rapidly (Quantum computing, new sieve algorithms, etc.), but there's
> > surely some guidance based on the current generation of things.
> There is not. In twenty years we will see commonplace attacks that
> today are just speculative science fiction. It's incredibly hard to
> make good long-term predictions about crypto.
> It is possible that in twenty years national governments will have
> large-scale quantum processors. Once that happens, RSA, DSA and ElGamal
> all die horrible screaming deaths.
> As an example: almost twenty years ago Schneier wrote in _Applied
> Cryptography_ of the Chinese Lottery Attack. It involved putting a
> small processor in every Chinese television set, which could be
> programmed by broadcasts from Party headquarters. Each processor would
> crunch a small part of the keyspace, and as soon as a hit was achieved
> the television would tell the viewer, "You have won! Call Party
> headquarters with this authorization number: [insert key here]."
> Twenty years ago the Chinese Lottery Attack was an interesting thought
> experiment, but nobody took it seriously.
> Today we have RC5-64, distributed.net, seti at home, botnets, Amazon EC2
> and all manner of other massively distributed computing frameworks. The
> question today isn't whether a Chinese Lottery Attack is possible: the
> question is how much it will cost you to rent your server time.
> The future is a scary place. But fun, too, and I look forward to
> getting there. :)
> > In a new keypair, is it safe to use SHA512 for hashes?
> Sure, but you don't need to create a new cert to use new hash algorithms.
> Is the weakness in the hash used to sign the key internally, or just when
it is used to sign data? I guess that's the part that eludes me.
I've been looking at the thread earlier this month regarding smartcards.
Are the options from kernel concepts basically the full range of
GPG-compatible smart cards, or are there other products I haven't seen?
Obviously I'd need a new keypair if I switched to that, as they only go up
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users