"This key may be unsafe"

Jeffrey Walton noloader at gmail.com
Tue Mar 8 00:30:02 CET 2011 

On Mon, Mar 7, 2011 at 4:03 PM, Charly Avital <shavital at mac.com> wrote:
> GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe'
> for *any* key with a length equal or inferior to 1024 bits.
>
> GPG Keychain Access 0.8.4 is a GUI for key management for Mac users.
> <http://www.gpgtools.org/keychain.html>
>
> A Google search with key sentence "This key maybe unsafe" between
> inverted commas, to limit the search to the whole sentence, displays
> hits that relate directly or indirectly (Twitter) only to GPGTools' lists.
Search for Security Levels and then take a look at NIST SP 800-57
(Table 2, Comparable Strengths), SP 800-131, or ECRYPT2's "Yearly
Report on Algorithms and Keysizes"

> Are keys whose length is equal or inferior to 1024 bits *unsafe*?
It depends on whom you ask. NIST say yes under most situations, others
say no. Lenstra, et al feel 1024 RSA/P-160 ECC will hold until 2020
with an acceptable amount of risk. See "On the Security of 1024-bit
RSA and 160-bit Elliptic Curve Cryptography"

> If so, how are they unsafe?
The bad guy can recover your secrets because the "work" to break the
key is too easy.

> Where is this key length unsafe situation documented?
See above.

> As a personal example, my primary key A57A8EFA is a DSA "old" 1024 bit
> key, but its encryption subkey is 2048 bit long, and I use a sign-only
> 2048 bit long RSA subkey. I also get that red warning with GPG Keychain
> Access 0.8.4
A 1024 bit key has a security level of about 80 bits. The 2048 bit key
holds about 112 bits of security.

The bad guy has two choices: break the 1024 signing key (80 bits of
security), or allow you to send an ephemeral key comparable to a 2048
bit modulu (112 bits of security) and break the 2048 ephemeral key. He
either attacks the 1024 bit key, or the 2048 bit key. He choice is
simple: break your signing key (1024 bits), then step in the middle
and sign an ephemeral key of his choosing (pretending to be you).

As a side note, most SSL certificates I have looked at mismatch
security levels also. GeoTrust just issued me two certificates signed
with SHA-1. Yet my keys were RSA 2048/SHA-224. The bad guy should
attack GeoTrust's weaker signature rather than my authentication keys
:(

Jeff

More information about the Gnupg-users mailing list