Question about key size (Was: [ale] ALE PGP Keysigning Party Instructions)
Michael H. Warfield
mhw at wittsend.com
Tue Jan 14 13:42:58 EST 2003
I hate it when I spot stupid errors and end up responding to
my own posts to correct my typos... Sigh... Blame it on coffee underflow.
On Tue, Jan 14, 2003 at 01:34:22PM -0500, Michael H. Warfield wrote:
> On Tue, Jan 14, 2003 at 10:46:42AM -0500, Jason Day wrote:
> > A few months back, Dan Bernstein suggested that 1024-bit keys might not
> > be as secure as we all thought (more info is available here:
> > http://cr.yp.to/nfscircuit.html). One of the things Bernstein claimed
> > was that it is possible to build a computer for about $1 billion that is
> > capable of brute-forcing 1024-bit keys.
> I think I made a passing reference to this in my talk. If I
> didn't, I should have.
> Bernstein's optimizations theoretically chopped several orders
> of magnitude (powers of 10) off the speed at which a key could be brute
^^^^^
That should have been "time". Speed was increased by several
orders of magnitude thus chopping several orders of magnitude off the
time. Sigh...
> forced. Since each "bit" in a key increases the effort by a factor of
> two, even if you presumed that he improved the attack by six orders of
> magnitude (basically, 20 bits) that reduce the "effective" strength of
> a 1024 bit key down to what was the strength of a 1004 bit key. Still
> a tough nut to crack. To reduce the effective strength to what you
> use to have under a 1000 bit key, you would need to improve the
> efficiency by a factor of over 16 million.
>
> > So, should we be worried about 1024-bit keys? I've had a PGP key for a
> > while now, but no one has ever signed it. Should I revoke it and
> > generate a new 4096-bit key for the keysigning?
> If no one has ever signed it and you've never used it, then you
> really have nothing to loose by regnerating it. In fact, you may have
> an even better reason than just the number of bits. If you have an
> old style "version 3" key (earlier than PGP 6.5 or there abouts) you
> may want to take advantage of the opportunity to switch to a version 4
> OpenPGP key, now, before you start getting signatures on that older key.
> Easy way to test for a version 4 key... Try adding a subkey to
> it (you don't have to save the subkey, you'll get an error for a version 3
> key saying that "creating subkeys for v3 keys is not OpenPGP compliant").
> If you get that error for that key, you may well want to get an OpenPGP
> compliant version 4 key now.
> You don't need a 4096-bit key. While I would not generated any
> new 1024-bit keys, 2048-bit keys are more than sufficient and I wouldn't
> abandon any 1024-bit keys. What I've done is relegated my older 1024-bit
> v3 RSA key to signature duty and use newer 2048-bit keys for encryption
> and mutually sign all the keys (which is why I have four keys - a
> 1024/RSA-v3, a 1024/RSA-v3, a 2048/RSA-v4, and a 2048/D-H).
^^^^^^^^^^^
Should have been a 2048/RSA-v3 key, not that it matters much...
> If no one has ever signed that 1024-bit key and it's a v3 key
> then I would go ahead and generate a 2048-bit v4 key (RSA or D-H) now.
> > Jason
> > --
> > Jason Day jasonday at
> > http://jasonday.home.att.net worldnet dot att dot net
> >
> > "Of course I'm paranoid, everyone is trying to kill me."
> > -- Weyoun-6, Star Trek: Deep Space 9
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
PGP signature
More information about the Ale
mailing list