FAQ: seeking consensus

Steffen Nurpmeso steffen at sdaoden.eu
Fri Oct 18 20:12:24 CEST 2019

Tony Lane via Gnupg-users wrote in <dd866d17-9f49-cf3f-e1a7-b626a7c4676a\
 |Hash: SHA512

That seems to be a good choice.

 |On 10/17/19 3:38 PM, Steffen Nurpmeso wrote:
 |> You know, i would say people should be advised to use the most
 |> compatible, most secure keys available for their "very key".
 |> Regardless of computing cost that is.  And use specific "weaker",
 |> "faster" or whatever keys for specific purposes, like tarball
 |> signing, or whatever.  I have never understood any other advise,
 |> actually.  I have vague memories of a very "conservative" sentence
 |> on the use of PGP keys on the mentioned FreeBSD handbook page, it
 |> must be more than 15 years, and i have only read it once.
 |> I adhered to that, and i now that all the RSA 4096 things i have
 |> produced ever since will be safe for quite some time, maybe even
 |> until i die (which could happen anytime though), unless the
 |> quantum thing explodes somehow (not a mathematician here).
 |If you absolutely, positively, _need_ the most bits of security then
 |RSA4096 shouldn't be your go-to anymore. RSA4096 doesn't actually
 |provide 4096 bits of security. The _key_ sizes may be 4096 bits, but
 |you must understand the security comes from the the cardinality of
 |prime numbers, so the actual amount of security is only 131 bits of
 |security. Compare this to RSA's 3072 bit keys providing 125 bits of
 |security. Unlike RSA, ECC keys don't scale logarithmically. For ECC,
 |the fields need to be a prime modulus, but that's about it. As a
 |result, the key sizes scale linearly with the bits of security by
 |a factor of 2. So, if you want the most security possible with GPG
 |_today_ you won't beat curve P-521, which provides ~261 bits of
 |security, and to get an equivalent in RSA your key size would need
 |to be at least 15360.
 |But you have to understand, even 128 bits of security is so

I might a bit if i follow this road long enough.

 |incredibly large that even the combined computing power of every
 |processor we have now won't be enough to crack it. See:
 |https://crypto.stackexchange.com/a/48669 for just how effort
 |it'd take.
 |By the way, 256 bits of security isn't twice the amount of 128 bits.
 |129 bits is twice the amount of security of 128 bits. Get it?
 |If you are curious just how much effort it'd take to break a 256 bit
 |key, I'd argue that it's physically impossible because there simply
 |isn't enough energy in the universe to break it... see:

My download is excessed until the 22nd.  But will throw an eye.

 |But I digress. It's not the bits of security that matter anymore.

For me the fascinating thing in this area are all those ideas
which human minds had to not have a need to do brute force
searching.  Regarding my GPG passwords i think nothing much can be
done about that though, except restricting the search to the bytes
that pass "tr -cd 'a-zA-Z0-9_.,=@%^+-'", but which is already
a significant reduction.

 |You have a far bigger chance of being insecure with side-channel
 |attacks etc, than you are with not enough bits of security. That is
 |a far bigger security hole... Being on a device that is exposed

Yeah, the passwords which were stolen by talking in my sleep are
a real problem.

 |to the internet. That's where you'd get cracked. Not the key size
 |being too small.

Actually i do not think that is really true, or only by accident.
I think the problems are theft, trojan horses, threat of force,
and that unfortunately includes coercive detention also (maybe
also only and even) in our western first world.  So even with what
for example FreeBSD has, where you can have some space on your
harddisk which looks like random data but actually contains an
encrypted partition, (i am pretty sure in the Linux world this is
also doable somehow), there are drugs and other specialists which
can make you talk and reveal that presence.  At some later time
i would expect a court order to access log etc. data in and of the
brain implant will increase personal rights and freedom.

And not the key size being too small may likely be true, but
shortly after Y2K i am pretty sure to remember right that the
"usual defaults" where 1024 bits for RSA or so, and whoever
followed that advise and had some records protected by such a key,
and there are records which are of real value, might have or look
forward to problems if they got lost.  Which thus brings me back
to the FreeBSD developer handbook entry which talked about 4096
bit keys around that time.

So yes, an excursion like yours is pretty cool and of value, and
experts do know, but for "normal people" i would always favour the
best thinkable default.  For that audience that EC stuff may also
just work, then.  I mean, the thing is that "normal people"
usually never get to use GnuPG directly anyway, and having the
best defaults if gpg gets used indirectly by application programs
is possibly better than having lots of configurations in this app
and that app.  (Like the central OpenSSL configuration file that
is now possible, with sections for individual programs.  Though
programs need adjustments to use that.)

Btw., you use autocrypt headers, in this mail of yours there are
thus two certificate keys included.  Unfortunately my MUA not yet
can either of them, and will not before next spring.
At that time we will support PGP/MIME and inline signed/encrypted
messages (even though it will not be nice until some later
time).  And will have a look into OpenPGP: headers.  But not
autocrypt, no.

 --End of <dd866d17-9f49-cf3f-e1a7-b626a7c4676a at gmail.com>

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Gnupg-users mailing list