SSH Agent keys >4096 bit?

Werner Koch wk at
Fri May 4 10:37:21 CEST 2012

On Fri,  4 May 2012 00:27, hka at said:

> decision, and that's agreed by basically anybody (NIST, ECRYPT II). Especially 
> when the cost of establishing the link with 8k RSA is insignificant for any 
> session over 5min in length (as is common in SSH).

Sorry, but that is plain nonsense.  Maybe not with your desktop box, but
my N900 takes quite some time to compute with 4k RSA keys.

> Besides that, Schneier and Ferguson[2] say that basically any RSA based crypto 
> system should support 8k keys. Switching to ECC is not easy, you need to 

I can't locate my copy right now.  Anyway, such suggestions depend
largely on the context.  It might be true in theory for US or French
govt security but not for any practical purposes.  Brian Snow of the NSA
once told during lunch that they don't care to break the crypto - "we
cheat".  What he meant is that it is way easier and cheaper to exploit
software bugs or RNG peculiarities than to build for example Twinkle
devices.  If the NSA is worth its money, you should assume that they
have a bunch of zero day exploits available for all kind of software -
including GnuPG.

In particular SSH, which by its nature can't be used on a dedicated
offline box, the use of even a 4k key is ridiculous.  Such use reminds
me more of security policies which demand the use of passphrases but
allow that the passphrase be stored on the same box in a file.

Current practice is the use of 2k RSA keys and you simply do that just
because everyone is happy if you follow this rule.  Using a lower key
size might be justifiable but it is not worth to spend the time to
explain the reason why it is okay to use only, say, 1536 bit.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list