"This key may be unsafe"

Grant Olson kgo at grant-olson.net
Tue Mar 8 00:20:34 CET 2011


On 3/7/11 5:32 PM, Robert J. Hansen wrote:
> On 3/7/11 4:03 PM, Charly Avital wrote:
>> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
> 
> A 1024-bit key is believed to be roughly comparable to an 80-bit
> symmetric key.  I am comfortable saying this is a reasonable level of
> security for the next few years for people who are not worried about
> being targeted by people who can afford to drop a few million dollars on
> cryptanalysis.
> 
> It is not a wise choice for long-term security, but I am not comfortable
> calling it "unsafe" for most users.
> 
> 

Here's a case where the difference between < and <= is HUGE.

gnupg 1.4 only switched the defaults from 1024 DSA/ElGamal to 2048
RSA/RSA in 1.4.10, which isn't even two years old.  I still see plenty
of boxes in the wild that only have 1.4.9, and not just those ones that
are old and creaky and people are afraid to reboot for fear of an actual
hardware failure.

Like you said, I would avoid creating one that size now, but even just a
year-and-a-half ago, your mantra of "use the defaults unless you know
what you're doing" would have resulted in 1024 bit keys for most users.

Meanwhile, warning about keys < 1024 bit would be a little more
practical, at least until ECC hits the standard.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 570 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110307/a79440ef/attachment.pgp>


More information about the Gnupg-users mailing list