2048 or 4096 for new keys? aka defaults vs. Debian

Paul R. Ramer free10pro at gmail.com
Sat Oct 26 06:16:26 CEST 2013

On 10/24/2013 04:46 PM, Robert J. Hansen wrote:
>> Is this zealotry on the Debian front, or something to update in gnupg?
> Mostly zealotry.  According to NIST, RSA-2048 is expected to be secure
> for about the next 25 years.

To add further to this, the U.S. military uses 2048 bit RSA keys for
their Common Access Cards (CAC cards), which are used for system
authentication and encrypted email.  The certificates that users are
issued are good for three years and then they issue a new CAC card to
the user.  The U.S. Department of Defense (DoD) has multiple root CAs,
and I know at least one of them (if not all of them) uses a 2048 bit RSA
key that is to be valid through 2029.

I am not saying that any one should use 2048 bit RSA because the DoD
uses it.  It is just a data point.  That being said, I am doubtful that
classified discussions are being done over email.  As far as I know,
they use it for sensitive but unclassified information such as
personally identifiable information like Social Security Numbers.  3DES
+ SHA1 + 2048 bit RSA is their preference for email.  It does not need
to be yours.



More information about the Gnupg-users mailing list