[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from keyring-maint



On Tue, Sep 14, 2010 at 03:55:30PM -0300, Henrique de Moraes Holschuh wrote:
> There is a thread about this now in the cryptography ML.  If anything really
> insteresting shows up there, I will relay it here.  I am certainly
> interested on our bias towards RSA and away from DSA2 and El-Gammal, for
> example...

There have never been any practical limits to RSA keys for OpenPGP.  The
way to encode a signature in RSA keys works equally well for any key
size.  Now that there is no longer any patent for RSA, there are no
practical issues related to it, and the algorithm has been around for a
long time, is conceptually simple, and is well-understood.

DSA has had several issues.  One is that RFC 2440, which originally
specified DSA keys, limited them to 1024 bits.  This has generally been
thought to be too short for long-term use.  Another is that because the
hash value is used directly as a parameter, a strong hash of sufficient
size has to be used.  RFC 2440 did not specify any of the SHA-2
algorithms either, which made it difficult to specify larger key
sizes[0].  The third, which is very important, is that DSA uses a random
number to compute each signature.  This number must never, ever, be
repeated.  If this number (k) is ever repeated, it becomes *trivial* to
determine the private key.  This is what happened with the OpenSSL
problem: every DSA key used with a poor PRNG (not generated, simply
used) should be assumed to be compromised.

You now see why RSA is very popular.

[0] Strictly, this only limits the size of q, but increasing p without
some increase in q does not really provide significantly more security.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature


Reply to: