Seperate RSA subkeys for decryption and signing or one for both?
hka at qbs.com.pl
Tue Dec 4 14:48:53 CET 2012
On Tuesday 04 of December 2012 14:14:34 Hauke Laging wrote:
> Am Di 04.12.2012, 13:19:11 schrieb Hubert Kario:
> > Keys can become "used up" so it entirely depends on how often you use it.
> > What I mean by that, is that any signing operation leaks some information
> > about the key used for signing (generally far less than few tens of a
> > bit).
> > If you have signed tens of thousands of documents with it, an attacker can
> > recover substantial portion of the key and speed up the key recovery.
> I remembered having read something like that. But does this refer to signing
> only? Are decryption keys not affected by that? The advantage of separate
> subkeys would be then that the non-used up key could keep active longer.
> That may be an argument against signing emails by default ;-) or at least
> for longer signature keys.
Leaking is caused by signing, if your using the same key for signing and
encryption, then you can use the signatures to speed up the attack on
If you're encrypting with one key and signing with other then the encryption
key doesn't need to be changed, as the encryption is done with public part
anyway -- you don't leak any information that's not already avaiable to the
Signature keys should be changed regularly, every few hundred thousand
signatures or so.
In typical business deployments you don't have users that send over three
hundred signed e-mails a day, every day (including holidays), and the
certificates are valid only for a year. So you don't go over the "few hundred
thousand signatures" limit. It is something you should keep in mind when
you're using GPG and send lot of e-mails, though -- it is easy to use the same
key for many years...
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
More information about the Gnupg-users