Robert J. Hansen wrote: > On 12/9/10 1:30 PM, Ben McGinnes wrote: > > If/when the time comes for SHA-1 to be completely removed from OpenPGP, > the migration path will quite likely involve new keys -- the same way > that the V3/V4 migration path in the past necessitated new keys. > >> Since I prefer a more long-term approach, this should eventually lead >> to 8,192-bit encryption keys when 4,096-bit becomes the default. > > It is unlikely it ever will. 3K RSA keys are believed to be equivalent > to a 128-bit symmetric key. If computational power ever develops to > that point, the solution is going to involve moving to entirely > different algorithms instead of just tacking on another couple of bits.
Big ACK to what Rob just said. Why 8192? 4096 RSA is extremely *unlikely* to ever be a default. Over the summer, readers of the [Cryptography] mailing list were reminded that in 1993 folks thought that 1024-bit RSA 'should be ok (safe from key-factoring attacks) for "a few decades".' A later post in that same thread went on to compare equivalent strengths of RSA, symmetric keys and Elliptic Curve (ECC) keys. How do elliptic curves compare to RSA today? From the National Institutes of Science and Technology (one of the gold standards for engineering know-how): RSA ECC Sym 1024 160 80 2048 224 112 3072 256 128 7680 384 192 15360 512 256 These recommendations can be found on page 63 of NIST Special Publication 800-57, Recommendations for Key Management, Part I. 2nd Revision, 8 Mar, 2007. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf] 112-bit symmetric is usually a reference to [three-key] 3DES. (It's worth noting that most people in the crypto community are *deeply* skeptical of any claims that 3DES can be cracked. If 112 bits of symmetric encryption are good enough for your purposes, then RSA-2048 should also be good enough for your purposes.) That is to say, a 3072 bit RSA key is as tough as an ECC key based on a 256 bit field, which is as tough as a 128 bit symmetric key. ECC cryptosystems on 256 bit field are practical today. 3072 bit RSA systems are not. The NSA's 2010 Suite-B[4] recommendations are: Type Symmetric Elliptic Curve Hash Secret 128 256 256 Top Secret 256 384 384 A key aspect of Suite B is its use of elliptic curve technology instead of classical public key technology. During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the _secret_ level [http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml]. So, depending on the source, a consensus seems to be forming that beyond a 2048 or 3072 bit modulus for DSA2 or RSA, folks need to switch to ECC. 2048-RSA is the current default in GnuPG. OpenPGP cards will support up to 3072-bit RSA; GnuPG up to 4096-bit RSA and 3072-bit DSA2. ECC in OpenPGP is on its way toward becoming a RFC and being included in OpenPGP. Larger and larger RSA keys aren't the solution, ECC is. The balance of power has tipped away from RSA and toward ECC. Feel free to ignore everything I've told you. There's no reason you should trust me. But by all means, keep asking questions. But everything I've read agrees longer RSA are not the path forward. -John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
