riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Thu Jun 26 16:26:43 CEST 2014

> Ah, yes... the fetish of equinonecroflagellation. It has an strikingly common
> rate of incidence with maxicryptosizism...

Although I'm going to be (almost wholly) agreeing with John here, I'm
speaking just for myself.  If anyone wants to chime in with a
"d'accord," that's on them.  :)

What gets me about the RSA-2048/-3072/-4096 debate is how (largely)
pointless it is.  Per NIST, RSA-2048 has about a 112-bit effective
keyspace and -3072 has about a 128-bit effective keyspace.  There is no
official NIST recommendation for RSA-4096, but the cryppies I've spoken
with at conferences ballpark it at somewhere around 140 bits of
effective keyspace.

Now for the kicker: *no one* is guaranteed more than 112 bits of
effective keyspace in the emails they receive.  No one.  Even if you use
a hacked-up GnuPG and RSA-16384, you're deluding yourself if you think
you're guaranteed your emails will have an effective keyspace of 256 bits.

The reason why is four letters long: 3DES.  3DES, which is an
always-accept algorithm, has a keyspace of 112 bits[*].  Someone can use
your RSA-16384 key with 3DES and bam, the effective protection of your
email is down to 112 bits.

So in a very real sense, anything past RSA-2048 is at best a "you
*might* get some additional security, depending on what symmetric
algorithm your correspondent uses.  Oh, and you can't forbid your
correspondent from using 3DES, either."

I think it's funny how the people who advocate moving to RSA-4096 by
default generally don't talk much about how it is impossible to
guarantee more than 112 bits of effective encryption keyspace for an
email message.  Will it give you a stronger signature?  Maybe.  But it
very possibly won't give you any stronger encryption.

Now, this isn't to say there's no purpose in RSA-3072 or -4096.  Some
organizations have requirements that say "any encryption key we use must
provide 128 effective bits of keyspace."  In that case, if them's the
rules, then sure, use RSA-3072, it meets your requirements.

But for the people who advocate "let's shift to RSA-4096, it gives us
about an effective 32 bits more than RSA-2048!", well... I really wish
they'd talk about the drawbacks (can't use on a smartcard, may cause
problems for mobile devices, etc.) and the inherent limitations of
OpenPGP (can't guarantee more than 112 effective bits of encryption

So, in summation: I think the RSA-2048/-3072/-4096 debate is utterly
pointless.  To the extent I have any strong feelings on it at all, it is
this: you are less likely to delude yourself about the strength of the
system if you use RSA-2048.

[*] ... against an adversary with access to more computing power than is
likely to ever exist in the world, true; but 112 bits nevertheless.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140626/caf1c58c/attachment.sig>

More information about the Gnupg-users mailing list