On 12/17/2013 08:27 PM, Robert J. Hansen wrote: > Yes -- but no one is claiming that 112-bit keyspaces are vulnerable > today, or at any time within the near future. Further, moving to a > 128-bit keyspace is not, IMO, any sort of a real win: you're only > gaining 16 bits of keyspace. At most you're pushing things back for a > few years; it is not any kind of a long-term solution.
from ≈20 years to ≈30 years, if we believe ECRYPT. Of course it's not a forever solution. It's still a significant improvement, and its one we can afford. >> If we want to "even out" the crypto so that no one part is clearly >> weaker to attack than the others, we ought to to increase our RSA >> keylengths by default. > > Whoa there a second! You might want to backspace and overstrike that, > because you just shifted to arguing that "since GnuPG defaults to > AES-256, we need to use RSA-15000 by default otherwise the asymmetric > portion will clearly be weaker to attack than the others." > > We don't want to even out the cryptosystem. We want to ensure that each > component of the cryptosystem meets or exceeds our minimum standards for > cryptanalytic resistance -- but the notion of "evening out" the system > is, as near as I can tell, fashionable nonsense. sigh. "weakest link" analysis is clearly useful, and just as clearly not the only analytic tool to use. I argued: right now gpg's weakest links are the default RSA key length and the digest used in cryptographic certification. Let's improve them both. Your argument in response seems to be "whoa! if we improve them all the way to the symmetric cipher length it would be computationally infeasible!" This is not an argument for not improving the weakest link. I agree with you that RSA doesn't scale well computationally as we approach equivalence to 256-bit symmetric ciphers. I'm not suggesting we take that step. >> Do we want the asymmetric key length to be the weakest link for users >> of GPG's default choices? > > Unless we move to RSA-15000, it will be. so, how much weaker are you ok with? 3072-bit keys are functional and available now, and even according to NIST's standards (i'm glad you still feel they're trustworthy, even in the context of them having issued a deliberately bad RNG, and their keylength recommendations being weaker than everyone else's!) > I agree that a stronger asymmetric component would be nice, but I don't > believe RSA is the way to go. We're already on the brink of introducing > ECC support into GnuPG. I think that once ECC support is introduced in > the mainline, it will then be an appropriate time to revisit the > question. I would support shifting to stronger asymmetric component(s) > at that time, but I don't think it's worth the headache of changing the > defaults if we're just going to change them *again* in under a year. Of course when ECC is available, we may want to shift to ECC. But ECC is not currently available, and even when it becomes available, RSA will be the dominant key type for years. This is a terrible argument for not improving the default RSA key length today. It costs very little to change the default, and it signals the user community that we take the existence of well-funded adversaries seriously. [from your other followup] > I am not in favor of covering more than 'virtually all users' and > 'virtually all purposes.' The difference between 99% of GnuPG's users > and 100% of GnuPG's users is, first of all, impossible to close, and > second of all, requires ever-increasing expense just to approximate it. We're engineers talking about building safety and security infrastructure here. Of course we may not get it right; bridges built with what they thought was a 200% safety margin have collapsed due to unforeseen factors. But we can make sure that we build in what we currently believe is a safety margin beyond what we believe anyone *should* need, and it is the responsible thing to do. Targeting exactly at the 99% percentile is irresponsible when we can safely and reasonably overshoot. To be clear: i'm not advocating for moving to 15000-bit or 30000-bit RSA keys by default. I'm advocating having a baseline 128-bit-symmetric-equivalent security by default, on all aspects of the cryptosystem. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users