Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Tue, Mar 4, 2014, at 21:33, Gunnar Wolf wrote:
> Ondřej Surý dijo [Tue, Mar 04, 2014 at 08:10:47PM +0100]:
> > On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote:
> > > As keyring maintainers, we no longer consider 1024D keys to be
> > > trustable. We are not yet mass-removing them, because we don't want to
> > > hamper the project's work, but we definitively will start being more
> > > aggressively deprecating their use. 1024D keys should be seen as
> > > brute-force vulnerable nowadays. Please do migrate away from them into
> > > stronger keys (4096R recommended) as soon as possible.
> >
> > I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would
> > it be possible to skip the RSA and go directly for ECDSA, before we
> > start deprecating DSA? Or at least have an option to do so? (Well,
> > unless GnuPG 2.1 release is too much far in the future.)
>
> Umh, I feel I have to answer this message, but I clearly don't have
> enough information to do so in an authoritative way¹. AIUI, ECDSA has
> not been shown to be *stronger* than RSA — RSA works based on modulus
> operations, ECDSA on curve crypto. ECDSA keys can be smaller and
> achieve (again, AIUI) the same level of security. But nothing so far
> shows that RSA will be broken before or after ECDSA.
>
> Barring somebody pointing me to the right place to read, my take would
> be that we should accept both RSA and ECDSA keys
Yes. I didn't suggest that we drop RSA.
> (of what minimum size/strength?).
These might provide a guidance (even for RSA key lengths).
http://www.keylength.com/en/compare/#Biblio4
http://csrc.nist.gov/groups/ST/toolkit/key_management.html
and
http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
NIST seems to recommend at least 2048 bits for RSA and Curve P-256 for
ECDSA
O.
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Reply to: