On 06/26/2014 10:26 AM, Robert J. Hansen wrote: > So in a very real sense, anything past RSA-2048 is at best a "you > *might* get some additional security, depending on what symmetric > algorithm your correspondent uses. Oh, and you can't forbid your > correspondent from using 3DES, either."
Of course you can't, but this is a terrible argument. You can't forbid your correspondent from sending you mail in the clear either. At any rate, the document under discussion also encourages people to advertise preferences for stronger ciphers, so correspondents using tools which respect those advertised preferences (like GnuPG) *will* get the increase in strength described. The goal of this document is to encourage people to make sure that crypto is not the weak point in their communications. brute forcing anything at a 2^103 security level [0] is likely infeasible, yes, but brute-force isn't the only possible means of attack. we don't know what cryptanalytic improvements are known privately, but if anyone has a speedup on the order of 2^30 (about a billion), then increasing the keysize by about the same amount seems like a pretty reasonable safeguard. Please read Bernstein's paper suggesting larger keysizes as a defense against common parallel constructions (one form of speedup): http://cr.yp.to/snuffle/bruteforce-20050425.pdf As for arguments about use on smartcards -- if you plan to get a smartcard, and you have a primary key that is too large for it, you can always generate and publish new subkeys that will fit in your smartcard. If that's the tradeoff that seems the most secure for you, that's fine, and the fact that you were using stronger keys in your non-smartcard implementation doesn't hurt you at all. Smartcards are not a good reason to object to larger keysizes for people who don't use smartcards. The pushback of "don't bother using stronger crypto, something else will be your problem" seems silly to me. It's like saying "don't bother fighting sexism, people are going hungry!" We can (and should) push on all of these fronts concurrently. Regards, --dkg [0] 2048-bit RSA is roughly equivalent to 103-bit symmetric crypto according to ECRYPT-II: page 30 of http://www.ecrypt.eu.org/documents/D.SPA.20.pdf
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users