SSH Agent keys >4096 bit?

John Clizbe John at
Fri May 4 03:03:24 CEST 2012

Ali Lown wrote:
> I am trying to use gpg-agent for my ssh keys as well as my gpg keys,
> but am unable to add my 8192 bit ssh key to the agent.
> Agent log reports: "2012-05-03 17:48:02 gpg-agent[2190] ssh keys
> greater than 4096 bits are not supported"
> The limit appears to be arbitarily set in agent/command-ssh.c
> following a max mpi_data_size.
> Does anyone know why the limit is set at 4096 bits, and whether there
> are any plans for supporting SSH keys of lengths greater than 4096bit
> in the gpg-agent?

[I think I write this same email on one list or another at least once per year]

Because past RSA key sizes of 2048-3072, the migration is to Elliptic Curve
Crypto (ECC). Huge RSA keys does not scale for most Internet usages (PKI/TLS/SSL).

NO ONE is recommending 4096 RSA or DSA, not because it's unsafe but it's
computationally unwieldy, especially on small devices. At asymmetric key sizes
of 3072 bits, the smart money is moving to Elliptic Curve Cryptography (ECC).

How does ECC compare to RSA _today_?

>From the National Institutes of Science and Technology (one of the gold
standards for engineering know-how):

  RSA    ECC    Sym
 1024    160     80
 2048    224    112
 3072    256    128
 7680    384    192
15360    512    256

(One may add a 'Hash' column by doubling the values in the Symmetric
Encryption column.) These recommendations can be found on page 63 of NIST
Special Publication 800-57, Recommendations for Key Management, Part I. 2nd
Revision, 8 Mar, 2007.
All three parts of SP800-57 are available at

The NSA's 2010 Suite-B
recommendations are:
    Type   Symmetric   Elliptic Curve    Hash
   Secret     128         256             256
  Top Secret  256         384             384

A key aspect of Suite B is its use of elliptic curve technology instead of
classical public key technology. During the transition to the use of elliptic
curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a
2048-bit modulus to protect classified information up to the _secret_ level

So, depending on the source, a consensus seems to be forming that beyond a
2048 or 3072 bit modulus for DSA2 or RSA, folks need to switch to ECC.

2048-RSA is the current default in GnuPG. OpenPGP cards will support up to
3072-bit RSA; GnuPG up to 4096-bit RSA and 3072-bit DSA2. ECC in OpenPGP is on
its way toward becoming a RFC and being included in OpenPGP. Larger and larger
RSA keys aren't the solution, ECC is. The balance of power has tipped away
from RSA and toward ECC.

The Internet Draft for ECC in OpenPGP
[] is in the Final
Comment period with comments due by 2012-04-09.
I suspect WK has ECC ready to go in both GnuPG 1.4 and 2.0 as soon as the ID
is approved. I know it's already present in the 2.1 beta code.

Feel free to ignore everything I've told you. There's no reason you should
trust me. But by all means, keep asking questions and read the authoritative
articles and documents.

John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://  or
     mailto:pgp-public-keys at

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

More information about the Gnupg-users mailing list