RSA 1024 ridiculous / RSA 8192 sublime, and, possible with gnupg.

Newton Hammet newton at hammet.net
Sun Jun 17 21:24:22 CEST 2007


On Sun, 2007-06-17 at 12:58 -0400, David Shaw wrote:
> >> >>> Lot's of other stuff, not top-posted here.
> GnuPG supports RSA keys much larger than 4096 bits.   It does not,
> however, currently allow generation of such keys, so the keys must
> come from elsewhere.
> 
> > Isn't it more usefull to switch to ECC instead of using that large keys?
> 
> For many cases, yes.  However, ECC is not yet defined for OpenPGP.
> Until that happens, there won't be official support for it in GnuPG.
> Note, though, there is a ECC version of GnuPG out there if you want to
> try it.
> 
> David
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

To coax bigger RSA keys out of gnupg-1.4.7 you have to download
and recompile the source, but with one change in the following file:

gnupg-1.4.7/g10/keygen.c

Here is diff -r output, 2 source trees, one source tree containing
the single difference:

nhammet at linux:~/gpg_test_8192> diff -r * 2>&1|grep -v 'Only in'
diff -r gnupg-1.4.7/g10/keygen.c gnupg_1.4.7x/g10/keygen.c
1528a1529
>       max=8192;


In more detail it's the following case stanza:

    case PUBKEY_ALGO_RSA:
      min=1024;
      max=8192;  /* Line of code to allow 8192 key generation.*/
      break;

It is the case stanza in the first switch statement in the function:
ask_keysize(int algo)
in the file g10/keygen.c

I can successfully generate an 8192-key (in under 10 minutes). If I
get around 2it, I will test this key for signing, maybe generate
a 8192-bit RSA sub-key and test that, too. 

I did this before in gnupg-1.2.1 (Check the mailing list archives)
but it was a different change... I think, to a header file. (I don't
have or can no longer find the detritus from that excursion) I was
much more energetic then testing, signing, encrypting, and decrypting
with a 8192-bit RSA key.

The real rub will be to see if it behaves well with unaltered (for
8192 key generation) gnupg-1.4.7) for encrypting, signing, decrypting,
etc., but I suspect it will be copacetic with unaltered official
gnupg-1.4.7. (Werner Koch and the gang are pretty thorough with this
code, it is high quality stuff)

Regards,
Newton


-- 
Public Key: 4096R/136FC036 2004-02-09 Newton Hammet <newton at hammet.net>
Key fingerprint = 785F DFF3 7029 3FBD 45CE 747C 93CA E808 136F C036
Key servers: pgp.mit.edu, others...





More information about the Gnupg-users mailing list