On Tue, Sep 14, 2010 at 03:55:30PM -0300, Henrique de Moraes Holschuh wrote: > There is a thread about this now in the cryptography ML. If anything really > insteresting shows up there, I will relay it here. I am certainly > interested on our bias towards RSA and away from DSA2 and El-Gammal, for > example...
There have never been any practical limits to RSA keys for OpenPGP. The way to encode a signature in RSA keys works equally well for any key size. Now that there is no longer any patent for RSA, there are no practical issues related to it, and the algorithm has been around for a long time, is conceptually simple, and is well-understood. DSA has had several issues. One is that RFC 2440, which originally specified DSA keys, limited them to 1024 bits. This has generally been thought to be too short for long-term use. Another is that because the hash value is used directly as a parameter, a strong hash of sufficient size has to be used. RFC 2440 did not specify any of the SHA-2 algorithms either, which made it difficult to specify larger key sizes[0]. The third, which is very important, is that DSA uses a random number to compute each signature. This number must never, ever, be repeated. If this number (k) is ever repeated, it becomes *trivial* to determine the private key. This is what happened with the OpenSSL problem: every DSA key used with a poor PRNG (not generated, simply used) should be assumed to be compromised. You now see why RSA is very popular. [0] Strictly, this only limits the size of q, but increasing p without some increase in q does not really provide significantly more security. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
