riseup.net OpenPGP Best Practices article

martijn.list martijn.list at gmail.com
Thu Jun 26 16:56:47 CEST 2014

On 06/26/2014 04:26 PM, Robert J. Hansen wrote:
>> Ah, yes... the fetish of equinonecroflagellation. It has an
>> strikingly common rate of incidence with maxicryptosizism...
> Although I'm going to be (almost wholly) agreeing with John here,
> I'm speaking just for myself.  If anyone wants to chime in with a 
> "d'accord," that's on them.  :)
> What gets me about the RSA-2048/-3072/-4096 debate is how
> (largely) pointless it is.  Per NIST, RSA-2048 has about a 112-bit
> effective keyspace and -3072 has about a 128-bit effective
> keyspace.  There is no official NIST recommendation for RSA-4096,
> but the cryppies I've spoken with at conferences ballpark it at
> somewhere around 140 bits of effective keyspace.
> Now for the kicker: *no one* is guaranteed more than 112 bits of 
> effective keyspace in the emails they receive.  No one.  Even if
> you use a hacked-up GnuPG and RSA-16384, you're deluding yourself
> if you think you're guaranteed your emails will have an effective
> keyspace of 256 bits.
> The reason why is four letters long: 3DES.  3DES, which is an 
> always-accept algorithm, has a keyspace of 112 bits[*].  Someone
> can use your RSA-16384 key with 3DES and bam, the effective
> protection of your email is down to 112 bits.
> So in a very real sense, anything past RSA-2048 is at best a "you 
> *might* get some additional security, depending on what symmetric 
> algorithm your correspondent uses.  Oh, and you can't forbid your 
> correspondent from using 3DES, either."
> I think it's funny how the people who advocate moving to RSA-4096
> by default generally don't talk much about how it is impossible to 
> guarantee more than 112 bits of effective encryption keyspace for
> an email message.  Will it give you a stronger signature?  Maybe.
> But it very possibly won't give you any stronger encryption.
> Now, this isn't to say there's no purpose in RSA-3072 or -4096.
> Some organizations have requirements that say "any encryption key
> we use must provide 128 effective bits of keyspace."  In that case,
> if them's the rules, then sure, use RSA-3072, it meets your
> requirements.
> But for the people who advocate "let's shift to RSA-4096, it gives
> us about an effective 32 bits more than RSA-2048!", well... I
> really wish they'd talk about the drawbacks (can't use on a
> smartcard, may cause problems for mobile devices, etc.) and the
> inherent limitations of OpenPGP (can't guarantee more than 112
> effective bits of encryption keyspace).
> So, in summation: I think the RSA-2048/-3072/-4096 debate is
> utterly pointless.  To the extent I have any strong feelings on it
> at all, it is this: you are less likely to delude yourself about
> the strength of the system if you use RSA-2048.
> [*] ... against an adversary with access to more computing power
> than is likely to ever exist in the world, true; but 112 bits
> nevertheless.

While in principle I agree that 2048 bit key is strong enough for most
uses, comparing 3DES keys space (or any other symmetric encryption
algorithm) and RSA (or some other public key system) key space is a
bit like comparing apples and oranges. If you crack the 3DES
encryption of a message you have cracked that particular message. If
you crack the RSA key, you have cracked all messages. So the effective
key space of your public key should be larger then the key space of
the session key(s).

Kind regards,

Martijn Brinkers

CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF encryption.


More information about the Gnupg-users mailing list