encryption algorithm
Hauke Laging
mailinglisten at hauke-laging.de
Tue Dec 17 22:31:40 CET 2013
Am Di 17.12.2013, 15:57:54 schrieb Daniel Kahn Gillmor:
> RSA 1024 falls
> in at the equivalent of about 73 bits of symmetric cipher. According to
> the authors, this is "Short-term protection against medium
> organizations, medium-term protection against small organizations", not
> "a First World government".
>
> While i don't agree with adrelanos' entire draft, i do agree that the
> default key size for gpg should be larger. A default key size of 3072
> or 4096 bits for RSA keys sounds reasonable to me.
> We do not do the users of GnuPG any favors by continuing to generate
> weaker-than-expected keys and certifications by default.
There are non-technical arguments against your position. No, Rob, I don't have
a scientific study for that but I guess (and invite everyone to follow mw with
this) that using something above the minimum but below the maximum serves an
educational purpose.
I believe there is a broad agreement that you need to *learn* what good crypto
is (involving the whole process containing crypto, not just the small crypto
element) to get "security". One more wild guess: 99.9% of the systems on which
GnuPG is *actively* used do not even provide the "equivalent" of a 73-bits
key.
If the 99.9% get 2048 bit by default then they ask: "Why not more?" That can
be kind of annoying here but at least they ask and get told. And some probably
understand. That's a security gain. If they notice "I have maximum security
now" because the default is raised to 4096 then they will not ask but often
make stupid assumptions about their overall security.
Effective use of crypto mandatorily demands for some understanding. It is
trivial for everyone with this understanding to select the key size. So what
real-world problem is going to be solved here?
And what could be the "expected key strength" for users with no clue about
crypto?
I support dkg with respect to the digests, though. And I think that GnuPG
really needs an option like personal-digest-disallow. Sende-recipient
negotiation all well and good, but it must be possible to say: Not me! Even
against the RfC. With such a command line option an application can easily
limit that to certain cases (though the validity calculations must be
configured globally, of course). We should not expect the applications to
filter disallowed digests. Often the crypto knowledge of application
developers is limited.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131217/96652624/attachment-0001.sig>
More information about the Gnupg-users
mailing list