Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Update your outdated PGP keys with strong elliptic curve keys
8 views
Skip to first unread message
Mork
Feb 2, 2023, 1:38:17 AM2/2/23
to
I see that some are still using 20-year-old DSA keys and outdated RSA
keys. Spooks can probably break these old keys with current technology.
Worse, they can probably break them in a few trillion pattern search
cycles using farms that make bitcoin mining look small scale.
I suspect they have warehouses full of GPUs and ASICs that chew through
the keys like a bitcoin mining farm does hashes. Nation-state actors
have enough compute hardware and memory to sieve for mathematical
patterns for breaking semiprimes and logarithms that would not even be
searchable with most researcher hardware budgets.
I strongly recommend revoking all old keys and generating new ECC keys.
Avoid RSA, DSA, and Elgamal encryption unless you are using really big
keys. Curves are mathematically stronger and more resistant to advances
in factoring and discrete logarithm computations that would break the
other algorithms sooner.
GPG hides the ability to generate Elliptic Curve key pairs. The user
must choose expert mode to use this feature.
How to generate a strong ECC key with GnuPG (GPG)
-------------------------------------------------
$> gpg --full-gen-key --expert
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
$> 9
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
$> 1
At this point enter your personal information and don't forget to
protect your key with a password.
IMHO there are only two trustworthy curves:
(1) Curve 25519
(8) Brainpool P-512
#1 is far more trustworthy than #8 from a structural POV. But #8 is
strong from a bit-strength POV. Some brainpool implementations seem to
suffer from a problem with the randomness. I don't know if this is the
case with GnuPG, and I don't have time to learn the code base and audit
the code, so I usually choose Curve 25519.
keys. Spooks can probably break these old keys with current technology.
Worse, they can probably break them in a few trillion pattern search
cycles using farms that make bitcoin mining look small scale.
I suspect they have warehouses full of GPUs and ASICs that chew through
the keys like a bitcoin mining farm does hashes. Nation-state actors
have enough compute hardware and memory to sieve for mathematical
patterns for breaking semiprimes and logarithms that would not even be
searchable with most researcher hardware budgets.
I strongly recommend revoking all old keys and generating new ECC keys.
Avoid RSA, DSA, and Elgamal encryption unless you are using really big
keys. Curves are mathematically stronger and more resistant to advances
in factoring and discrete logarithm computations that would break the
other algorithms sooner.
GPG hides the ability to generate Elliptic Curve key pairs. The user
must choose expert mode to use this feature.
How to generate a strong ECC key with GnuPG (GPG)
-------------------------------------------------
$> gpg --full-gen-key --expert
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
$> 9
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
$> 1
At this point enter your personal information and don't forget to
protect your key with a password.
IMHO there are only two trustworthy curves:
(1) Curve 25519
(8) Brainpool P-512
#1 is far more trustworthy than #8 from a structural POV. But #8 is
strong from a bit-strength POV. Some brainpool implementations seem to
suffer from a problem with the randomness. I don't know if this is the
case with GnuPG, and I don't have time to learn the code base and audit
the code, so I usually choose Curve 25519.
The Stuff of Legend
Feb 4, 2023, 10:58:22 PM2/4/23
to
On Thu, 2 Feb 2023 00:40:17 -0600, Mork <mo...@bork.bork> said in
Message-ID: <trfloo$31js$1...@news.cyber23.de>:
> I see that some are still using 20-year-old DSA keys and outdated RSA
> keys. Spooks can probably break these old keys with current technology.
> Worse, they can probably break them in a few trillion pattern search
> cycles using farms that make bitcoin mining look small scale.
That's probably why 1024-bit keys were deprecated by the end of 2010, some
12 years ago now. If memory serves, the largest publicly-factored prime is
829-bits, factored by a team in February, 2020.
> I suspect they have warehouses full of GPUs and ASICs that chew through
> the keys like a bitcoin mining farm does hashes. Nation-state actors have
> enough compute hardware and memory to sieve for mathematical patterns for
> breaking semiprimes and logarithms that would not even be searchable with
> most researcher hardware budgets.
>
> I strongly recommend revoking all old keys and generating new ECC keys.
> Avoid RSA, DSA, and Elgamal encryption unless you are using really big
> keys. Curves are mathematically stronger and more resistant to advances in
> factoring and discrete logarithm computations that would break the other
> algorithms sooner.
A lot of people tend to use 4096-bit keys for compatibility -- the problem
is many people use very old, outdated software. It's like everything else --
many people are just too lazy to keep up to date. What makes things even
worse is that there is a LOT of JUNK software out there, which people often
latch-onto, because it's "easy to use".
One such package, which goes by the moniker PortablePGP generates keys like
this:
pub 1024D/0x996899184676D860 2023-02-05
uid Portable PGP Generated Key (Don't use garbage software like this) <us...@example.com>
sub 512g/0x7507C7BE52CDA439 2023-02-05
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
mQGiBGPfGW8RBAD3w8kGQActIOb3BAa5+9WVjC9cNcGJOFnSs36RF5G6bTeEylbj
7n794t8wA3tK2GnD9VNj1nIxDcK7Nnbd4PeXYjNnKUkQgn4rGHS7niS32PGmba8B
JeLQ9A+YRxUv220Mj/hF5hDDJml5KIlY0NseetyLhZngq6WwsSLKEG5z8QCg3MVc
GewpU5n35M/NPShk6N0K500D/36EaPz+2dJfjtMQ8jC9rM1dZ0B2ITBQTjQedhxt
Xxdn3BzsQcna/b48nLbo3bvk8DHsywox/rs+PCFKskHy4+3Tx/Gnh6gzwzp0LOeO
oB76EBMCP5SKoHheWUL5C/owDxKAHRmDyRRoBXo8lpgDykJjzM0PB4kIr/Cn0AoO
u4AZA/9j6yvQ52mXjY029wjJ3lIc3YAfPbln3JJHJQmz3oNFdTnjs20F2WTVt1IU
DJ6T9Cdq8Fn/pz5X01h0mkIELqcxTleTLnfmsuSb0kN3JEzIXrWYaSMbx0Nre7CG
XJe3FrQYHXuq9O1HZl87YtJxlnqi+n0duUg6XkQUmsiULixAtbRUUG9ydGFibGUg
UEdQIEdlbmVyYXRlZCBLZXkgKERvbid0IHVzZSBnYXJiYWdlIHNvZnR3YXJlIGxp
a2UgdGhpcykgPHVzZXJAZXhhbXBsZS5jb20+iEYEExECAAYFAmPfGW8ACgkQmWiZ
GEZ22GCQLACeK4FYuc5+md2WVZrVgnrjpSSKVxsAoNrrE1DtOOrfzm6Nk1o80nBg
bKJSuMwEY98ZbxACAJSU/sCV87he4oZUKzg2/IGl3QoDSbTCOd04dE1IjPjjHbi8
t9M7Qau55aM8ypFEsc7zMslL8Fc78EejrKmM3zsB/RU9XWFyrbQwRbaK6OHeEHC2
E3AFaG0p09c6d0kZloHuWyEsm5a/3PpbIM1eP9IESJXWCc+bQQt6DxLKHLmkKMwB
/RS7wyQj3cS9NduSmGwdCSvAcTmvKdC9pOjqyrPwlMs+11uwoF9MC3TaXOnUm6YL
jLrc5EV3xkNtnqmSJyf/V1OIRgQYEQIABgUCY98ZbwAKCRCZaJkYRnbYYAHcAKCp
0zlrYooZzaGw8ew59+7/w3CLhACdH12G1TqJSWEB+gdSamZ9qTByvtw=
=SgEs
-----END PGP PUBLIC KEY BLOCK-----
I just checked, and this software package is still available for download.
Believe it or not, someone selling drugs on the Darknet actually used a key
like this! (I damn near sprayed my monitor and keyboard upon seeing this!)
> GPG hides the ability to generate Elliptic Curve key pairs. The user must
> choose expert mode to use this feature.
That is in the 2.2.x series. The 2.4.x series generates Curve25519 keys by
default.
> How to generate a strong ECC key with GnuPG (GPG)
[snip]
> IMHO there are only two trustworthy curves:
>
> (1) Curve 25519
> (8) Brainpool P-512
That's my thinking as well. I wouldn't trust the NIST Curves as far as I
can throw them. I haven't forgotten how the NSA tried to worm themselves
into positions of authority on standards-setting committees, and how they
tried mightily to get NIST to approve the use of certain constants
(presumably to make the keys easier to break).
> #1 is far more trustworthy than #8 from a structural POV. But #8 is strong
> from a bit-strength POV. Some brainpool implementations seem to suffer
> from a problem with the randomness. I don't know if this is the case with
> GnuPG, and I don't have time to learn the code base and audit the code, so
> I usually choose Curve 25519.
It's a reasonable default.
The Stuff of Legend
Message-ID: <trfloo$31js$1...@news.cyber23.de>:
> I see that some are still using 20-year-old DSA keys and outdated RSA
> keys. Spooks can probably break these old keys with current technology.
> Worse, they can probably break them in a few trillion pattern search
> cycles using farms that make bitcoin mining look small scale.
12 years ago now. If memory serves, the largest publicly-factored prime is
829-bits, factored by a team in February, 2020.
> I suspect they have warehouses full of GPUs and ASICs that chew through
> the keys like a bitcoin mining farm does hashes. Nation-state actors have
> enough compute hardware and memory to sieve for mathematical patterns for
> breaking semiprimes and logarithms that would not even be searchable with
> most researcher hardware budgets.
>
> I strongly recommend revoking all old keys and generating new ECC keys.
> Avoid RSA, DSA, and Elgamal encryption unless you are using really big
> keys. Curves are mathematically stronger and more resistant to advances in
> factoring and discrete logarithm computations that would break the other
> algorithms sooner.
is many people use very old, outdated software. It's like everything else --
many people are just too lazy to keep up to date. What makes things even
worse is that there is a LOT of JUNK software out there, which people often
latch-onto, because it's "easy to use".
One such package, which goes by the moniker PortablePGP generates keys like
this:
pub 1024D/0x996899184676D860 2023-02-05
uid Portable PGP Generated Key (Don't use garbage software like this) <us...@example.com>
sub 512g/0x7507C7BE52CDA439 2023-02-05
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
mQGiBGPfGW8RBAD3w8kGQActIOb3BAa5+9WVjC9cNcGJOFnSs36RF5G6bTeEylbj
7n794t8wA3tK2GnD9VNj1nIxDcK7Nnbd4PeXYjNnKUkQgn4rGHS7niS32PGmba8B
JeLQ9A+YRxUv220Mj/hF5hDDJml5KIlY0NseetyLhZngq6WwsSLKEG5z8QCg3MVc
GewpU5n35M/NPShk6N0K500D/36EaPz+2dJfjtMQ8jC9rM1dZ0B2ITBQTjQedhxt
Xxdn3BzsQcna/b48nLbo3bvk8DHsywox/rs+PCFKskHy4+3Tx/Gnh6gzwzp0LOeO
oB76EBMCP5SKoHheWUL5C/owDxKAHRmDyRRoBXo8lpgDykJjzM0PB4kIr/Cn0AoO
u4AZA/9j6yvQ52mXjY029wjJ3lIc3YAfPbln3JJHJQmz3oNFdTnjs20F2WTVt1IU
DJ6T9Cdq8Fn/pz5X01h0mkIELqcxTleTLnfmsuSb0kN3JEzIXrWYaSMbx0Nre7CG
XJe3FrQYHXuq9O1HZl87YtJxlnqi+n0duUg6XkQUmsiULixAtbRUUG9ydGFibGUg
UEdQIEdlbmVyYXRlZCBLZXkgKERvbid0IHVzZSBnYXJiYWdlIHNvZnR3YXJlIGxp
a2UgdGhpcykgPHVzZXJAZXhhbXBsZS5jb20+iEYEExECAAYFAmPfGW8ACgkQmWiZ
GEZ22GCQLACeK4FYuc5+md2WVZrVgnrjpSSKVxsAoNrrE1DtOOrfzm6Nk1o80nBg
bKJSuMwEY98ZbxACAJSU/sCV87he4oZUKzg2/IGl3QoDSbTCOd04dE1IjPjjHbi8
t9M7Qau55aM8ypFEsc7zMslL8Fc78EejrKmM3zsB/RU9XWFyrbQwRbaK6OHeEHC2
E3AFaG0p09c6d0kZloHuWyEsm5a/3PpbIM1eP9IESJXWCc+bQQt6DxLKHLmkKMwB
/RS7wyQj3cS9NduSmGwdCSvAcTmvKdC9pOjqyrPwlMs+11uwoF9MC3TaXOnUm6YL
jLrc5EV3xkNtnqmSJyf/V1OIRgQYEQIABgUCY98ZbwAKCRCZaJkYRnbYYAHcAKCp
0zlrYooZzaGw8ew59+7/w3CLhACdH12G1TqJSWEB+gdSamZ9qTByvtw=
=SgEs
-----END PGP PUBLIC KEY BLOCK-----
I just checked, and this software package is still available for download.
Believe it or not, someone selling drugs on the Darknet actually used a key
like this! (I damn near sprayed my monitor and keyboard upon seeing this!)
> GPG hides the ability to generate Elliptic Curve key pairs. The user must
> choose expert mode to use this feature.
default.
> How to generate a strong ECC key with GnuPG (GPG)
> IMHO there are only two trustworthy curves:
>
> (1) Curve 25519
> (8) Brainpool P-512
can throw them. I haven't forgotten how the NSA tried to worm themselves
into positions of authority on standards-setting committees, and how they
tried mightily to get NIST to approve the use of certain constants
(presumably to make the keys easier to break).
> #1 is far more trustworthy than #8 from a structural POV. But #8 is strong
> from a bit-strength POV. Some brainpool implementations seem to suffer
> from a problem with the randomness. I don't know if this is the case with
> GnuPG, and I don't have time to learn the code base and audit the code, so
> I usually choose Curve 25519.
The Stuff of Legend
J G
Jul 7, 2023, 3:47:30 PM7/7/23
to
https://bada55.cr.yp.to/vr.html
https://archive.is/DL992
http://web.archive.org/web/20221001172019/https://bada55.cr.yp.to/vr.html
0 new messages