SSH Agent keys >4096 bit?

Hubert Kario hka at qbs.com.pl
Sat May 5 15:49:56 CEST 2012


On Friday 04 of May 2012 21:41:25 Peter Lebbing wrote:
> On 04/05/12 20:54, Ali Lown wrote:
> > Might I point out that discussion is with respect to an 8k RSA SSH key
> > for SSH authentication, not for email. A 2 second delay during the
> > initialization of an SSH connection is not a problem.
> 
> And here is precisely something interesting: 8k RSA is discussed as a method
> to keep messages confidential for decades. I haven't looked into it, but
> I'm under the impression RSA is used purely for authentication in SSH, not
> for key exchange[1]. What are you protecting decades against here? A server
> reusing a random challenge? That seems quite far fetched.
> 
> Oh, by the way, only the computational load for the client was discussed.
> There's also the server (although the public side of the computation is
> quicker than the private side). The server gets logins from potentially a
> lot of clients.
> 
> Peter.
> 
> [1] I get this impression because there is a configuration option for
> OpenSSH sshd that selects which key exchange methods to use, and they all
> have DH (Diffie-Helmann) in their name.

As far as I know, OpenSSH uses DH parameters of the same size as the RSA keys: 
for 8k DH you need 8k RSA or (which is unmaintainable) manually force use of 
8k DH.

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl



More information about the Gnupg-users mailing list