SSH Agent keys >4096 bit?

Hubert Kario hka at
Fri May 4 12:07:25 CEST 2012

On Friday 04 of May 2012 10:37:21 Werner Koch wrote:
> On Fri,  4 May 2012 00:27, hka at said:
> > decision, and that's agreed by basically anybody (NIST, ECRYPT II).
> > Especially when the cost of establishing the link with 8k RSA is
> > insignificant for any session over 5min in length (as is common in SSH).
> Sorry, but that is plain nonsense.  Maybe not with your desktop box, but
> my N900 takes quite some time to compute with 4k RSA keys.

OK, so the use of 8k RSA keys won't work with low power embedded devices.

It still doesn't change the overall picture:
1. migrating to ECC is hard and complicated
2. using 8k RSA is easy

> > Besides that, Schneier and Ferguson[2] say that basically any RSA based
> > crypto system should support 8k keys. Switching to ECC is not easy, you
> > need to
> I can't locate my copy right now.  Anyway, such suggestions depend
> largely on the context.

Quote from the book:

"The absolute minimum size for n is 2048 bits or so if you want to protect 
your data for 20 years. This minimum slowly increases as compiters get faster. 
If you can afford it in your application, let n be 4096 bit long or as close 
to this size as you can get it. Furthermore, make sure that your software 
supports values of n up to 8192 bits long."

That was written in 2003, nearly 10 years ago. They suggested using current 
day minimums when GPGPU didn't even exist and FPGAs with large memories were 
just surfacing.

> It might be true in theory for US or French
> govt security but not for any practical purposes.  Brian Snow of the NSA
> once told during lunch that they don't care to break the crypto - "we
> cheat".  What he meant is that it is way easier and cheaper to exploit
> software bugs or RNG peculiarities than to build for example Twinkle
> devices.  If the NSA is worth its money, you should assume that they
> have a bunch of zero day exploits available for all kind of software -
> including GnuPG.

possibly, still I'd guess that most of them are active, online attacks

but now we're in the hypothetical realm of vague possibility, such discussion 
is useless and suggest more that we "just have to throw away cryto as it's 
useless anyway" than anything else. Which, frankly, is bollocks.

> In particular SSH, which by its nature can't be used on a dedicated
> offline box, the use of even a 4k key is ridiculous.  Such use reminds
> me more of security policies which demand the use of passphrases but
> allow that the passphrase be stored on the same box in a file.

What has online/offline net connection anything to do with that? Storing 
acquired information for 20 years is nothing extraordinary as far as 
intelligence agencies and highly motivated individuals are concerned.
Hell, I've got files on my hard drive that are around 15 years old.
Computing in 20 years may be very different than it is today.

> Current practice is the use of 2k RSA keys and you simply do that just
> because everyone is happy if you follow this rule.  Using a lower key
> size might be justifiable but it is not worth to spend the time to
> explain the reason why it is okay to use only, say, 1536 bit.

Current practice is for data that hardly never has to deal with secrets that 
have to be kept for 40 years (like I noted before). As regularly the most 
valuable information being passed over secure links are passwords and http 
cookies. Which basically never have validity of over 10 years and 1 year 

Thing is, that is not the only use-case of crypto systems.

Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24

More information about the Gnupg-users mailing list