Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)

To: Ondrej Surý <ondrej@sury.org>
Cc: debian-devel@lists.debian.org
Subject: Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 5 Mar 2014 19:09:26 +0100
Message-id: <[🔎] 20140305180926.GA3715@roeckx.be>
In-reply-to: <[🔎] 1394004577.30973.90743553.7342F0D5@webmail.messagingengine.com>
References: <20140303181359.GA68761@gwolf.org> <[🔎] 1393960247.19940.90519781.6B0510A9@webmail.messagingengine.com> <[🔎] 20140304203323.GN73471@gwolf.org> <[🔎] 1394004577.30973.90743553.7342F0D5@webmail.messagingengine.com>

On Wed, Mar 05, 2014 at 08:29:37AM +0100, Ondrej Surý wrote:
> On Tue, Mar 4, 2014, at 21:33, Gunnar Wolf wrote:
> > Ondrej Surý dijo [Tue, Mar 04, 2014 at 08:10:47PM +0100]:
> > > On Mon, Mar 3, 2014, at 19:13, Gunnar Wolf wrote:
> > > > As keyring maintainers, we no longer consider 1024D keys to be
> > > > trustable. We are not yet mass-removing them, because we don't want to
> > > > hamper the project's work, but we definitively will start being more
> > > > aggressively deprecating their use. 1024D keys should be seen as
> > > > brute-force vulnerable nowadays. Please do migrate away from them into
> > > > stronger keys (4096R recommended) as soon as possible.
> > > 
> > > I am not sure what's the timeframe for GnuPG 2.1.0[1] release, but would
> > > it be possible to skip the RSA and go directly for ECDSA, before we
> > > start deprecating DSA? Or at least have an option to do so? (Well,
> > > unless GnuPG 2.1 release is too much far in the future.)
> > 
> > Umh, I feel I have to answer this message, but I clearly don't have
> > enough information to do so in an authoritative way¹. AIUI, ECDSA has
> > not been shown to be *stronger* than RSA -- RSA works based on modulus
> > operations, ECDSA on curve crypto. ECDSA keys can be smaller and
> > achieve (again, AIUI) the same level of security. But nothing so far
> > shows that RSA will be broken before or after ECDSA.
> > 
> > Barring somebody pointing me to the right place to read, my take would
> > be that we should accept both RSA and ECDSA keys
> 
> Yes. I didn't suggest that we drop RSA.
> 
> > (of what minimum size/strength?).
> 
> These might provide a guidance (even for RSA key lengths).
> 
> http://www.keylength.com/en/compare/#Biblio4
> http://csrc.nist.gov/groups/ST/toolkit/key_management.html
> 
> and
> 
> http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
> 
> NIST seems to recommend at least 2048 bits for RSA and Curve P-256 for
> ECDSA

You might want to take a look at http://safecurves.cr.yp.to/
before using the P-curves.


Kurt

Reply to:

References:
- RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
  - From: Ondřej Surý <ondrej@sury.org>
- Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
  - From: Ondřej Surý <ondrej@sury.org>

Prev by Date: Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Next by Date: Re: Bits from the Security Team
Previous by thread: Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
Next by thread: Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
Index(es):
- Date
- Thread