Thanks for the responses, all. Good stuff. Alaric wrote:
"considering this https://www.financialcryptography.com/mt/archives/000551.html why would you bother with anything less than 2048 bit keys." I'm inclined to agree with you, from a security standpoint. I appreciate you sending this as it gives me some 'ammunition' against colleagues of mine who argue that the additional storage taken up by encrypted data trumps the security of a long cryptography key. But, there are those who feel that way, especially since the encryption is not going to be the weak link in our data security for this product, at least for now. David wrote: Yes, but it's almost impossible to answer this because it's not clear what you're doing. Are you storing the keys or the results? 1024 bit keys with what algorithm? The only key type that is locked to 1024 bits is DSA and that's a signing algorithm, so encryption never comes into the equation. The key that's used for encryption, according to the Handbook, is the El-Gamal sub-key that gets created, along with the DSA signing key, when you invoke 'gpg --gen-key'. The concern is over database storage of the results, not the keys. I could store them outside the database, but I'd rather not as that adds a level of indirection, additional complexity, and another point of failure to the design. The algorithm is whatever is used by 'gpg --encrypt'. In a nutshell, I'm encrypting data entered via a website and storing it in a database for later retrieval and decryption by real-time user programs. I don't want to give up the value that the PGP brand adds to the product, but I can understand that some of my colleagues have concerns about the storage requirements, even though I have done worst-case analyses which indicate that the storage we need is available at minimal cost. I'm willing to address those concerns with some weakening of the public key security, given that there are other mechanisms in place to protect vital data (SSL for one). Thanks again! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
