How secure is GnuPG

[David Shaw]

On Wed, Jul 24, 2002 at 01:43:56AM +0000, Brian M. Carlson wrote:

> > DSA and ElGamal are based on the same underlying hard problem, so
> > 1024-bit DSA and 1024-bit ElGamal are very similar security-wise.
> > Note that DSA doesn't encrypt and ElGamal doesn't (usually) sign.
> 
> Well, I use Elgamal to sign sometimes. But there are only 28 Elgamal
> type 20 (sign and encrypt) keys on the servers. By the way, I found out
> that Taher Elgamal spells his name with a lower case "g". He also
> allegedly has an OpenPGP key (0x507A237A).

Appropriately, it's not an RSA key... :)

> > > Why is 1024 the maximum for DSA?  That's interesting.
> > 
> > That's the spec.  I believe it was chosen to be somewhat in balance
> > (with regards to strength) with the 160-bit hash that DSA also uses.
> 
> It can be anywhere from 512 bits to 1024 bits, but according to OpenPGP,
> it should (MUST?) be at least 768 bits. Also, OpenPGP states its hash
> algorithm MUST be 160 bits, but DSS (the standard which defines DSA)
> states that the hash algorithm MUST be SHA1.

DSS does not define DSA.  DSS is built on top of DSA.  Specifically,
DSA is the algorithm, which is specified to use a 160-bit hash and up
to 1024-bit keys.  DSS is a US government specification that uses DSA.
It requires SHA-1 as the hash and 1024 bit keys (it used to allow
768-1024, but they revised it).  If your DSA key is 1024 bits long,
and you use SHA-1, then you are compliant with DSS, but this is not a
OpenPGP requirement.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson