riseup.net OpenPGP Best Practices article

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 26 17:22:21 CEST 2014 

On 06/25/2014 02:25 AM, Werner Koch wrote:
> This misunderstanding is actually an indication of the problem.  You are
> talking 4096 vs. 2048 while the more important case is to read the
> security announcements and update your gpg.

That's a great point.  I've just proposed a pull request on that page to
emphasize keeping your GnuPG implementation up-to-date.

however, if you *do* keep your software up-to-date, it would be a shame
for the crypto itself to be flawed enough to be broken by a
well-resourced attacker.  So standardizing on stronger crypto by default
seems reasonable to me.  The point is to ensure that the math itself is
not the weak point.

> I wonder why the keysize triggers bikeshedding discussions in all
> security groups.  After all the majority of us (including me) has not
> the education and experience to select the color (i.e. crypto math) on
> their own.

These choices are not pulled out of thin air or made up out of arbitrary
fancy.  There are people who do have the education and experience to
determine reasonable keysizes, like the ECRYPT project.

  http://www.ecrypt.eu.org/
  http://www.ecrypt.eu.org/documents/D.SPA.20.pdf

suggests (on pages 30-32) that the current GnuPG default of 2048-bit RSA
provides roughly 103-bit-equivalent security, which falls in the middle
of "legacy standard level" (≈10 years of protection) and "medium-term
protection" (≈20 years of protection).

ECRYPT's "Good, generic application-indep. recommendation" is at the
128-bit level, which they note for RSA keys is 3248 bits. The Riseup
guide suggests a marginally more conservative 4096-bit RSA keysize.

In practice, i've never found a modern cryptographic system that can't
handle 4096-bit RSA keys.  I have, however, found modern systems that
*can't* deal with 3248-bit RSA keys (X.509 certificate authorities who
expect the bitlength of any key to be a power of two for some unknown
and probably stupid reason).

So if we want to make a good, generic recommendation, the riseup
recommendation doesn't seem to be a bad one to me based on my reading of
ECRYPT II.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140626/a84b3760/attachment.sig>

More information about the Gnupg-users mailing list