"This key may be unsafe" - Redux

David Tomaschik david at systemoverlord.com
Mon Mar 7 23:08:01 CET 2011


This key length concern is highly dependent on the threat model.  I
believe RSA-1024 is likely safe TODAY for MOST attacks.  That being
said, I could not, in good conscience, suggest that anyone generate a
1024 bit key today -- the lifetime on that is probably too short, and
almost any device (including most mobile devices that can handle some
form of OpenPGP) should be able to handle at least 2048 bit without
much trouble.  Section 5.6 of NIST Publiction 800-57
(http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf)
is the best guidance I use for key length selection.  NIST recommended
that use of 1024 bit RSA-type (IFC) keys be discontinued in 2010.
2048 is recommended through 2030.  I use a 4k master key
(certification only) and 3k keys for encrypt and sign.  Yes, this is
perhaps a bit paranoid, but I have yet to run into any device where I
feel the delay is unacceptable (my android phone included).

I don't believe that GPG alerts on key lengths at all, but it does
have suggested lengths at key generation time.

David


On Mon, Mar 7, 2011 at 4:41 PM, Charly Avital <shavital at mac.com> wrote:
>> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
>> for *any* key with a length equal or inferior to 1024 bits.
> [...]
>
>>
>> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
>> If so, how are they unsafe?
>> Where is this key length unsafe situation documented?
>
> I am not aware of any GnuPG command in Terminal that would display or
> warn about this situation. Is there any, or should there be any?
>
>
> [...]
>
> TIA.
> Charly
>
>
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com



More information about the Gnupg-users mailing list