SSH Agent keys >4096 bit?
Werner Koch
wk at gnupg.org
Mon May 7 10:13:40 CEST 2012
On Sat, 5 May 2012 12:08, peter at digitalbrains.com said:
> Why should the GnuPG authors include a feature they don't believe in? If
> it's in GnuPG official, it will need to be supported. What if there is
It is marketing again. PGP started to use AES-256 for marketing reasons
and thus we more or less forced to do include support for AES-256. We
initially even did not put AES-256 on top of the cipher preferences,
but we even had to change even this:
/* The rationale why we use the order AES256,192,128 is
for compatibility reasons with PGP. If gpg would
define AES128 first, we would get the somewhat
confusing situation:
gpg -r pgpkey -r gpgkey ---gives--> AES256
gpg -r gpgkey -r pgpkey ---gives--> AES
Note that by using --personal-cipher-preferences it is
possible to prefer AES128.
*/
> And you seem to forget that when you use GnuPG with (for example) 4k
> keys, the 4k key is simply not the weakest link! This has been said already.
Exactly.
> data is that valuable, keep it to yourself. Don't give even the
> encrypted variant to your enemy. Because your formidable enemy will know
> of a way to decrypt it without breaking your 8k key.
Well, even the former option is subject to a pretty cheap rubber hose
cryptanalysis. It all depends on your threat model.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list