Question about key size (Was: [ale] ALE PGP Keysigning Party Instructions)

Michael H. Warfield mhw at wittsend.com
Tue Jan 14 13:34:22 EST 2003


On Tue, Jan 14, 2003 at 10:46:42AM -0500, Jason Day wrote:
> A few months back, Dan Bernstein suggested that 1024-bit keys might not
> be as secure as we all thought (more info is available here:
> http://cr.yp.to/nfscircuit.html).  One of the things Bernstein claimed
> was that it is possible to build a computer for about $1 billion that is
> capable of brute-forcing 1024-bit keys.

	I think I made a passing reference to this in my talk.  If I
didn't, I should have.

	Bernstein's optimizations theoretically chopped several orders
of magnitude (powers of 10) off the speed at which a key could be brute
forced.  Since each "bit" in a key increases the effort by a factor of
two, even if you presumed that he improved the attack by six orders of
magnitude (basically, 20 bits) that reduce the "effective" strength of
a 1024 bit key down to what was the strength of a 1004 bit key.  Still
a tough nut to crack.  To reduce the effective strength to what you
use to have under a 1000 bit key, you would need to improve the
efficiency by a factor of over 16 million.

> So, should we be worried about 1024-bit keys?  I've had a PGP key for a
> while now, but no one has ever signed it.  Should I revoke it and
> generate a new 4096-bit key for the keysigning?

	If no one has ever signed it and you've never used it, then you
really have nothing to loose by regnerating it.  In fact, you may have
an even better reason than just the number of bits.  If you have an
old style "version 3" key (earlier than PGP 6.5 or there abouts) you
may want to take advantage of the opportunity to switch to a version 4
OpenPGP key, now, before you start getting signatures on that older key.

	Easy way to test for a version 4 key...  Try adding a subkey to
it (you don't have to save the subkey, you'll get an error for a version 3
key saying that "creating subkeys for v3 keys is not OpenPGP compliant").
If you get that error for that key, you may well want to get an OpenPGP
compliant version 4 key now.

	You don't need a 4096-bit key.  While I would not generated any
new 1024-bit keys, 2048-bit keys are more than sufficient and I wouldn't
abandon any 1024-bit keys.  What I've done is relegated my older 1024-bit
v3 RSA key to signature duty and use newer 2048-bit keys for encryption
and mutually sign all the keys (which is why I have four keys - a
1024/RSA-v3, a 1024/RSA-v3, a 2048/RSA-v4, and a 2048/D-H).

	If no one has ever signed that 1024-bit key and it's a v3 key
then I would go ahead and generate a 2048-bit v4 key (RSA or D-H) now.

> Jason
> -- 
> Jason Day                                       jasonday at
> http://jasonday.home.att.net                    worldnet dot att dot net
>  
> "Of course I'm paranoid, everyone is trying to kill me."
>     -- Weyoun-6, Star Trek: Deep Space 9
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature




More information about the Ale mailing list