To All Morons Using Greater That 3000 Bit RSA Keys!!!! READ!!!

0 views
Skip to first unread message

Anonymous

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
>It had a PGP signed message included therein from Zimmerman himself.
>
>The message by Zimmerman explained why RSA keys greater than 3000 Bits
>serve no useful security purpose whatsoever.
>
>I have always suspected that those using greater than 2048 Bit RSA
>keys were attempting to substitute key size for penis size, but
>lacking a theoretical background in cryptography, I have always kept
>my suspicions to myself. Not any longer........

Errrm, since to break a 128 bit symmetric cipher has approximately
the same workload as 3100 bit asymmetric cipher (disregarding the
differences between DH, RSA and Elliptic Curve,) this is quite
true, to a point. I would still use 3100 bit asymmetric key, since
the chain is just as strong as the weakest link.
Besides, nothing says that factoring primes *has* to be that
difficult, which in turn supports using as large keys as
possible. Though, going above 4096 bits is probably just waste
of time, and PGP already supports this strength natively (DH).


Also, there's another application for public/private key strategy,
digital signatures. PGP, when using RSA, signs using 2048bit
key, which is quite adequate, but DH/DSS uses only 1024bits.
Correct me if I'm wrong. The version of PGP you refer to, supports
up to 16K RSA keys and 8K DH keys with 2048 bit DSS. In addition to
which, it includes several bugfixes and nice features not found in the
regular distributions. Now, without paying too much attention to those
ENORMOUS keys, the single most useful feature in the CK-T release
is, IMHO, the 2048 bit DSS support.

In conclusion, I would recommend use of public key at least as
strong as the conventional cipher used in PGP (which has a keyspace
of 128 bits) for encryption but not much more, 4096 bits is quite
adequate, and 2048 bits for signatures.

This should be a nice tradeoff between paranoia and convenience.


Comments, anyone?

BlevinsWS

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
Old news.

ESPO247

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
>The message by Zimmerman explained why RSA keys greater than 3000 Bits
>serve no useful security purpose whatsoever.

>There is no advantage for using the keys larger than about 3000 bits.
>The 128-bit session keys have the same work factor to break as a 3000
>bit RSA or DH key. Therefore, the larger keys contribute nothing to
>security, and, in my opinion, spread superstition and ignorance about
>cryptography.

This is actually innaccurate. Yes, per message, it would be pointless to have a
Public key that far exceeds the work factor to brute force the session key.
HOWEVER, it is more to the attatckers advantage to get the public key, as if
you crack that you can get EVERY message. If you only crack the session key,
you get ONE message. So, it isn't such a dumb idea to make the public key
harder to crack than the session key.
-
Espo
Free Kevin! www.paranoid.org/mitnick
"Mary had a crypto key, she kept it in escrow, and everything that Mary said,
the Feds were sure to know." -- Sam Simpson
E-mail me for my PGP keys.
DH/DSS Key ID: 0x927BED1D
RSA Key ID: 0x76C6AB73


Thomas J. Boschloo

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
Some time ago, someone posted this message:

> Subject: Re: RSA Vs DH/DSS?
> Date: 13 Nov 1998 12:49:48 GMT
> From: lu...@taranis.iks-jena.de (Lutz Donnerhacke)
> Organization: IKS GmbH Jena
> Newsgroups: comp.security.pgp.discuss,alt.security.pgp,comp.security.pgp.resources
> Followup-To: sci.crypt
>
> * |MrB| wrote:
> >Who encryption is the best or the hardest to crack between
> > RSA Vs DH/DSS?
>
> DH is easy to break, but your may refer to ElGamal.
>
> The question itself is: What is more difficult, discrete logarithms over
> a finite field (ElGamal, Diffie-Hellman, DSA) or discrete logarithms over
> a finite abelian ring which is not a domain (RSA)? And the answer is
> unknown.
> A theoretical result is, that discrete logarithms over a finite field are
> at most as difficult as the factorisation of the predecessor of the
> characteristic of the field which is always prime.
> OTOH discrete logarithms over a finite ring are at most as difficult as the
> factorisation of the ring characteristic itself which is composite is this
> case.
> Several algorithms are knows to solve the problems. But it's unknown what
> algorithms are known to the secret services. The public knownlegde is
> documented in the standard P1363 of the IEEE. Appedix A says:
>
> Ring Field
> -----+---- -----+----
> 512 | 63 |
> 786 | 76 |
> 1024 | 86 1024 | 56
> 2048 | 117 2048 | 112
> 3072 | 139 3072 | 128
> 4096 | 157 4096 | 168
>
> So a 512 bit RSA key is as secure as a 63 bit symmetric key (runtime
> complexity). A 1024 bit DSA key is as secure as a 56 bit symmetric key.
> It's easy to see, that 3100 bit are enough to fit every paranoic feelings.
> For longer keys RSAs security grows slower, but the initial security is
> better.
> 1024 bit are acceptable for RSA but not for DSA or ElGamal. Due to the
> fact, that RfC 2440 relates on the DSA signature even for an ElGamal key,
> the communication security is limited to the lowest of both.
>
> As you know, the whole topic is irrelevant as long keys are stored on
> insecure devices and operating systems, handled by incompetent users (click
> and pray), managed by insufficent software running inadequate trust models.
>
> Have fun in sci.crypt

BTW Does this mean, that DH keys of LESS than 1024 bits are insecure (I
use a 800 bit RSA key).

Thomas
--
email: lastname(at)multiweb(dot)nl
PGPkey: http://x13.dejanews.com/getdoc.xp?AN=406702465

G. J. Greetan

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
-----BEGIN PGP SIGNED MESSAGE-----

Hallo:

> I have always suspected that those using greater than 2048 Bit RSA
> keys were attempting to substitute key size for penis size, but
> lacking a theoretical background in cryptography, I have always kept
> my suspicions to myself. Not any longer........

Is this supposed to be breaking news? Anyone who uses the C-KT build
most
likely knows about this since it is required reading when you run the
installer (assuming people actually read the notes, rather than just
hitting
the 'next' button). You act like there was some concerted effort to
keep the
information from the PGP community when, in fact, it has been well
reported.

*----------------------------------------------------------------------*
G. J. Greetan (ICQ - 11516548)
Cyber-Knights Templar Primary Contact

mailto:%20cybe...@usa.net
http://members.tripod.com/cyberkt

No PGP key bearing my name, generated before 98.24.08, is valid.

Visit http://members.tripod.com/cyberkt to download my keys, or
you can get them off of the key servers.

NOTE: RSA is my preferred key, avoid using the DH key if possible.
*----------------------------------------------------------------------*

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
Comment: A lie is most convincingly hidden between two truths.

iQEVAwUBNmExz2a5xoqgKfNFAQH3QQgAm3POoWT6ni8rTnDKpmfpg+DIgALrhw3t
/JaeVG7rBsovlHzs4L/yGW8I9hkqCEpELpc2q1FWXyLF2vP4IzuPDliktu8QUILE
eIIamc+iaTQLGHBcvu+heQniK3/KAU3YPIijhn/ol1BpaoZpGx3sYq7Y6hCO/NXF
dMYV6cVeJtdREKbMCAxe1bfaWKu4KmsWviKaP4p7/tVkbOvOLJdS/gS9wWWdf+E5
rMw0SAdVEkJuqhGZ3SO83E9tn+Z3YizUFUCc8IPgW0j/1p//+sBypUwwZiHZr1A3
26OdvPjp6JiQaUjyy7d7h2tGH60nqGssgEjIPR8KjXdPtnXIJUNzgg==
=H86f
-----END PGP SIGNATURE-----

ssim...@hertreg.ac.uk

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
In article <1998112900...@replay.com>,

Anonymous <nob...@replay.com> wrote:
> >It had a PGP signed message included therein from Zimmerman himself.
> >
> >The message by Zimmerman explained why RSA keys greater than 3000 Bits
> >serve no useful security purpose whatsoever.

Breaking the asymmetric key allows all message past, present and future to be
read. Thus it may make sense to have a (theoretically) "harder" DH key than
the corresponding block cipher key.

Before anyone gets on there high horse about the (im)possibility of breaking
3072 bit DH keys; I know that it is currently computational infeasible - I am
just putting forward an argument for using asymmetric keys with more strength
than the keys used by the underlying block cipher.

> >I have always suspected that those using greater than 2048 Bit RSA
> >keys were attempting to substitute key size for penis size, but
> >lacking a theoretical background in cryptography, I have always kept
> >my suspicions to myself. Not any longer........

Sounds like *you* need a better background theoretical background in
cryptography...

> Errrm, since to break a 128 bit symmetric cipher has approximately
> the same workload as 3100 bit asymmetric cipher (disregarding the
> differences between DH, RSA and Elliptic Curve,) this is quite
> true, to a point. I would still use 3100 bit asymmetric key, since
> the chain is just as strong as the weakest link.
> Besides, nothing says that factoring primes *has* to be that
> difficult, which in turn supports using as large keys as
> possible. Though, going above 4096 bits is probably just waste
> of time, and PGP already supports this strength natively (DH).
>

Indeed.

> Also, there's another application for public/private key strategy,
> digital signatures. PGP, when using RSA, signs using 2048bit
> key, which is quite adequate, but DH/DSS uses only 1024bits.
> Correct me if I'm wrong.

You are quite right... PGP v5 onwards is implemented with DSS keys up to
1024-bits. This is for good reason, FIPS 186 says that the value p has to
between 512 and 1024 bits - any other size would conform to the standards and
shouldn't be called DSS....


>The version of PGP you refer to, supports
> up to 16K RSA keys and 8K DH keys with 2048 bit DSS. In addition to
> which, it includes several bugfixes and nice features not found in the
> regular distributions. Now, without paying too much attention to those
> ENORMOUS keys, the single most useful feature in the CK-T release
> is, IMHO, the 2048 bit DSS support.

Which means that the signature algorithm supported IS NOT DSS :-(

>
> In conclusion, I would recommend use of public key at least as
> strong as the conventional cipher used in PGP (which has a keyspace
> of 128 bits) for encryption but not much more, 4096 bits is quite
> adequate, and 2048 bits for signatures.
>
> This should be a nice tradeoff between paranoia and convenience.
>
> Comments, anyone?

As mentioned above, in general the size of asymmetric keys can justifiably be
much larger than a corresponding block cipher key offering similar
protection... A block cipher key protects a single message whereas a
asymmetric key protects _all messages_ encrypted to that key.

Thus with symmetric & asymmetric keys that offer similar levels of strength,
you make the asymmetric key a "better" target as this will allow an adversary
to read all messages compared with the symmetric key which only allows an
adversary to read one message.


Also, Will Price of NAI (formerly PGP) has made the point on the PGP USERS
mailing list that "For the highly paranoid, a DH 3072 bit key is the best
choice. This will not change until the cryptographic community settles on
better hash algorithms and better symmetric ciphers.". I think he (and NAI!)
has ignored BlowFish, which supports keys of upto 448 bits and has been round
for several years now and is widely accepted within the crypto community...


Dah-well.....


Sam Simpson Comms Analyst -- See http://www.hertreg.ac.uk/ss/ for ScramDisk,
a free virtual disk encryption for Windows 95/98. PGP Keys available at the
same site.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own

Anonymous

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sam Simpson <ssim...@hertreg.ac.uk> wrote:

>>>I have always suspected that those using greater than 2048 Bit RSA
>>>keys were attempting to substitute key size for penis size, but
>>>lacking a theoretical background in cryptography, I have always kept
>>>my suspicions to myself. Not any longer........
>
>Sounds like *you* need a better background theoretical background in
>cryptography...

Phil Zimmerman is not a god. These are controversial subjects and basing
comments the likes of which started this, on a single letter portraying
the opinion of one fellow, is somewhat dubious. This is not to say that
PRZ doesn't have some authority in the matter, but making comments
before finding out more is unwise. Hope I don't fall into that :)


>> Also, there's another application for public/private key strategy,
>> digital signatures. PGP, when using RSA, signs using 2048bit
>> key, which is quite adequate, but DH/DSS uses only 1024bits.
>> Correct me if I'm wrong.
>
>You are quite right... PGP v5 onwards is implemented with DSS keys up to
>1024-bits. This is for good reason, FIPS 186 says that the value p has to
>between 512 and 1024 bits - any other size would conform to the standards
>and shouldn't be called DSS....

I stand corrected. Thank you.


>> The version of PGP you refer to, supports
>> up to 16K RSA keys and 8K DH keys with 2048 bit DSS. In addition to
>> which, it includes several bugfixes and nice features not found in the
>> regular distributions. Now, without paying too much attention to those
>> ENORMOUS keys, the single most useful feature in the CK-T release
>> is, IMHO, the 2048 bit DSS support.
>
>Which means that the signature algorithm supported IS NOT DSS :-(

....which is probably the reason I'm having troubles signing
w/2048 key in PGP 6. Still, I thought PGP 5.x supported 2048
bits, albeit reluctantly. Was I wrong in my assumption?


>Also, Will Price of NAI (formerly PGP) has made the point on the PGP USERS
>mailing list that "For the highly paranoid, a DH 3072 bit key is the best
>choice. This will not change until the cryptographic community settles on
>better hash algorithms and better symmetric ciphers.". I think he (and
>NAI!) has ignored BlowFish, which supports keys of upto 448 bits and has
>been round for several years now and is widely accepted within the crypto
>community...

How about CAST-256? And Twofish, does it support larger keys? But still,
key exhaustion of even a 128 bit block cipher is computationally infeasible,
and is quite likely to remain so. Even the coveted quantum computers, which
are still at very theoretical states, would be far more effective in
*factoring* the primes of a _public key_ than doing key exhaustions on
128 bit keyspace of a block cipher, not to mention 256 bits.

So why create ciphers with larger keyspace? OK, so there's nothing to
loose in using more bits, but wouldn't it be better to improve the other
links in the chain? Hashing algorithm to support 256 bit cipher and a
random number generator come to mind. And a new public key algorithm,
making a key as strong as 256 bit symmetric key with the current ones is
a bit infeasible in itself. Does anyone know anything about elliptic
curve cryptosystem? I hear it's radically different from both DH/ElGamal
(discrete logarithms over a finite field) and RSA (discrete logarithms
over a finite abelian ring which is not a domain). Anyone got more
detailed information on it?

So couldn't we settle for a 256 bit block cipher? That should be
sufficient to the unforeseeable future. Then we can go arguing
about the asymmetric ciphers, hashes and the works, but at least
one part of the chain would be settled.


P.S. About Scramdisk...no WinNT, but is anyone doing a port to OS/2?

- --ECHELON Observer


-----BEGIN PGP SIGNATURE-----
Version: PGP 5.5.3ckt
Comment: KeyID: 0x8E211CBB
Comment: Fingerprint: 9C59 5D71 C894 4635 08F7 234C 198B 5B81 8E21 1CBB

iQA/AwUBNmGKjhmLW4GOIRy7EQIusgCginbACaHVxeklkO/d9jb0NvMjrsYAoKUO
1HV3YenIUCfvFeMaUC3GJqv4
=y8SQ
-----END PGP SIGNATURE-----

Anonymous

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
On Sun, 29 Nov 1998 17:30:15 GMT, <wishing_i...@ca.com> wrote:

>But......I believe his even limited credentials add more weight to his
>opinion than the many armchair cryptographers in this NG. What
>possible value could anyone in this forum gain by using greater than
>2048 bit keys? I would bet none of you has info that
>important......thus, the "penis size" parallel.

While some posters here give little information, and some even
disinformation, there are a lot of people here that are more than
just "armchair cryptographers". PRZ is no different from them, make
no error in assuming otherwise. He has just as much credentials as
some of those folks who have contributed to this NG. This is not
to diminish Phil, quite to the contrary, but I'm fairly certain
that even he would admit that there are many schools of thought
about the matters discussed, and that his is not necessarily the
"right" one.

Ofcourse, if you don't like the company, you can try for example
sci.crypt, where you can discuss this subject in abundance.

And remember:
"Whatever you do is insignificant, but it is important that you do it"


>Just my opinion.......

Given the air of the post, it seemed to belittle those who
opt to do things differently from your way. Thus, it becomes
from simply expressing an opinion into imposing your opinion
on others. While you can and are welcome to do this, please
do the rest of us the favor of not using dubious connotations.

However, the thread has been a welcome one as it livens the
group, so thank you for your contribution.


Hugh

unread,
Nov 29, 1998, 3:00:00 AM11/29/98
to
Cool then you dont mind if I filter you in the future. You are a filthy
mouthed child.

sittin...@home.com wrote in message <3662829d...@news.scc.net>...
You obviously have preconceived notions which limit your ability to
comprehend writtem thoughts on this subject.

I did not write this as "breaking news". I wrote it as a revelation
to myself, long simmering as merely a suspicion. Besides, what about
those who have never used the C-KT build? Maybe they had never read
that file.

You have added nothing to the debate. I suggest you put your head
back into your ass until you have something of value to add.

If you need guidance, read the other responses to my post and see what
value they have added to this NG. Even if a lot of them were not
reliable sources of information, they definitly generated much
thought. And that is good enough.

All you have succeeded in doing is adding yourself to my kill-filter.

On Sun, 29 Nov 1998 05:37:21 -0600, "G. J. Greetan"
<cyber...@usa.net> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>Hallo:
>

>> I have always suspected that those using greater than 2048 Bit RSA
>> keys were attempting to substitute key size for penis size, but
>> lacking a theoretical background in cryptography, I have always kept
>> my suspicions to myself. Not any longer........
>

> Is this supposed to be breaking news? Anyone who uses the C-KT build
>most
>likely knows about this since it is required reading when you run the
>installer (assuming people actually read the notes, rather than just
>hitting
>the 'next' button). You act like there was some concerted effort to
>keep the
>information from the PGP community when, in fact, it has been well
>reported.
>
>*----------------------------------------------------------------------*
>G. J. Greetan (ICQ - 11516548)
>Cyber-Knights Templar Primary Contact
>
>mailto:%20cybe...@usa.net
>http://members.tripod.com/cyberkt
>
>No PGP key bearing my name, generated before 98.24.08, is valid.
>
>Visit http://members.tripod.com/cyberkt to download my keys, or
>you can get them off of the key servers.
>
>NOTE: RSA is my preferred key, avoid using the DH key if possible.
>*----------------------------------------------------------------------*
>

>-----BEGIN PGP SIGNATURE-----

Message has been deleted

ESPO247

unread,
Nov 30, 1998, 3:00:00 AM11/30/98
to
>And Twofish, does it support larger keys?

And Twofish is what, less than a year old? It is way too new to trust.
-
Espo
Free Kevin! www.KevinMitnick.com

irf...@my-dejanews.com

unread,
Nov 30, 1998, 3:00:00 AM11/30/98
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Dear Anonymous,

The 2k bits DSS, and for that matter any DSS key larger than 1k bits are
or may have been rendered pretty useless.

As the SHA1 hash algorithm as used in PGP 6.x.x only support DSS keys up
to 1k bits.

In the PGP 5.5.3 implementations, PGP used the Double width NIST SHA-1 hash
algorithm (SHA1x) when the DSS key was larger then 1k bits. SHA1x supports
DSA signatures up 4k bits.
According to Mr Phil Zimmerman, and I quote, hoping that he is referring to
SHA1x:-

"Also, larger DSA keys don't contribute anything unless the hash grows
bigger with it. That requires selecting a good well-designed bigger hash
that has been specifically designed to have the full work factor for
breaking it. Using two SHA1 hashes in that manner has not been adequately
shown to achieve this result."

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1x

So, given the above, I would assume that NAI must have taken the SHA1x
code out of PGP 6.x.x.

Hence, authenticating this sub-message with PGP 6.x.x will crash it,
don't try it, you have been warned. And backup your key rings first,
if you would like to try it, just in case.

I am sure, the PGP programming team, will, in due time, come up with a
better way of handling this exception.
- -----BEGIN PGP SIGNATURE-----
Version: 5.5.3ckt http://members.tripod.com/IRFaiad
Comment: KeyID: 0xD53F3D1D
Comment: Fingerprint: BC33 7F15 BACD 5E97 BB22 5EAC B960 3BBD D53F 3D1D

iQBRAwUBNmJ1yrlgO73VPz0dEQSnVADmORKikalUvtScuMJu2nAKngHiceiEzb81
spH+Zz4A6P+Oczc/vmW7hifGVFoVT+DredqAXyCoX0t0Bn7f
=rz6j
- -----END PGP SIGNATURE-----


Best Regards

Imad R. Faiad
On 29 Nov 1998 01:24:56 +0100, in alt.security.pgp you wrote:

<snip>


>
>Also, there's another application for public/private key strategy,
>digital signatures. PGP, when using RSA, signs using 2048bit
>key, which is quite adequate, but DH/DSS uses only 1024bits.

>Correct me if I'm wrong. The version of PGP you refer to, supports


>up to 16K RSA keys and 8K DH keys with 2048 bit DSS. In addition to
>which, it includes several bugfixes and nice features not found in the
>regular distributions. Now, without paying too much attention to those
>ENORMOUS keys, the single most useful feature in the CK-T release
>is, IMHO, the 2048 bit DSS support.
>

>In conclusion, I would recommend use of public key at least as
>strong as the conventional cipher used in PGP (which has a keyspace
>of 128 bits) for encryption but not much more, 4096 bits is quite
>adequate, and 2048 bits for signatures.
>
>This should be a nice tradeoff between paranoia and convenience.
>
>
>Comments, anyone?

-----BEGIN PGP SIGNATURE-----
Version: 5.5.3ckt http://members.tripod.com/IRFaiad
Comment: KeyID: 0x833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45

iQEVAwUBNmJ2IrzDFxiDPxutAQNpnwf/XxkeoM/sDIGmNLDtdK785l6aBiCVBWER
hKhJhIMiqn5YjeSzTIrAOP41OeY4U8GmeTHB7zCN5Km+2xfz1S7nVpXd2Zrliam5
krD3I93wrlOP1mWypk3Mx3QyqD8cfu+pSI/mg+NqKgWw8pfpC7QpwAcOHGt/A5Lp
TZd/AC4RXX+vMI7tHxFvEWvcpTfnrwbKtAJg1bJrCYqBMl+ph7ldHJqQ2//FXpb/
3lpb8SeZPYdAypLs6vv3mL765uqRnPNaMVGJ0xp2DjtlysLmv51mXK0J2vNGTaO9
7yil4bWjMw1PX7ViakVMOhi1w1v1kQkQX0DCvKymwwJ8hMfAekFbgg==
=UhxH
-----END PGP SIGNATURE-----

ssim...@hertreg.ac.uk

unread,
Nov 30, 1998, 3:00:00 AM11/30/98
to
In article <1998112916...@replay.com>,
Anonymous <nob...@replay.com> wrote:

> Sam Simpson <ssim...@hertreg.ac.uk> wrote:
>

<SNIP>

> >> Also, there's another application for public/private key strategy,
> >> digital signatures. PGP, when using RSA, signs using 2048bit
> >> key, which is quite adequate, but DH/DSS uses only 1024bits.
> >> Correct me if I'm wrong.
> >

> >You are quite right... PGP v5 onwards is implemented with DSS keys up to
> >1024-bits. This is for good reason, FIPS 186 says that the value p has to
> >between 512 and 1024 bits - any other size would conform to the standards
> >and shouldn't be called DSS....
>
> I stand corrected. Thank you.
>

> >> The version of PGP you refer to, supports
> >> up to 16K RSA keys and 8K DH keys with 2048 bit DSS. In addition to
> >> which, it includes several bugfixes and nice features not found in the
> >> regular distributions. Now, without paying too much attention to those
> >> ENORMOUS keys, the single most useful feature in the CK-T release
> >> is, IMHO, the 2048 bit DSS support.
> >

> >Which means that the signature algorithm supported IS NOT DSS :-(
>
> ....which is probably the reason I'm having troubles signing
> w/2048 key in PGP 6. Still, I thought PGP 5.x supported 2048
> bits, albeit reluctantly. Was I wrong in my assumption?

Indeed. The OpenPGP standard says:

" An implementation SHOULD NOT implement DSA keys of size less than
768 bits. Note that present DSA is limited to a maximum of 1024 bit
keys, which are recommended for long-term use."

Thus no version of PGP is guaranteed to work with "DSA" signature keys > 1024
bits :-(

> >Also, Will Price of NAI (formerly PGP) has made the point on the PGP USERS
> >mailing list that "For the highly paranoid, a DH 3072 bit key is the best
> >choice. This will not change until the cryptographic community settles on
> >better hash algorithms and better symmetric ciphers.". I think he (and
> >NAI!) has ignored BlowFish, which supports keys of upto 448 bits and has
> >been round for several years now and is widely accepted within the crypto
> >community...
>
> How about CAST-256? And Twofish, does it support larger keys? But still,
> key exhaustion of even a 128 bit block cipher is computationally infeasible,
> and is quite likely to remain so. Even the coveted quantum computers, which
> are still at very theoretical states, would be far more effective in
> *factoring* the primes of a _public key_ than doing key exhaustions on
> 128 bit keyspace of a block cipher, not to mention 256 bits.

Any of the AES candidates are to new to recommend yet. Blowfish has been
around for a while and is widely trusted.

128 bits keys are long enough at the moment - but there is obviously a need
for larger key sizes (hence the AES requirement of supporting key lengths of
192 & 256 bits).

> So why create ciphers with larger keyspace? OK, so there's nothing to
> loose in using more bits, but wouldn't it be better to improve the other
> links in the chain?

Quite - the program is only a strong as the weakest link.

It would also be handy if the crypto community could find a generally accepted
hash function with an output >160 bits.

<SNIP>

> So couldn't we settle for a 256 bit block cipher? That should be
> sufficient to the unforeseeable future. Then we can go arguing
> about the asymmetric ciphers, hashes and the works, but at least
> one part of the chain would be settled.

Yeah - I'd say implement Blowfish in PGP (the OpenPGP draft does set aside an
ID number for Blowfish - but it is only 128-bits (WTF!)).

>
> P.S. About Scramdisk...no WinNT, but is anyone doing a port to OS/2?
>

The NT version (and a Linux version) are very early in the development cycle.
As far as I know, nobody is working on an OS/2 port :-( Maybe the 10
remaining OS/2 users could start writing a port <vbg!> :-)


Regards,

Sam Simpson
Comms Analyst
-- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk
encryption for Windows 95/98. PGP Keys available at the same site.

-----------== Posted via Deja News, The Discussion Network ==----------

Anonymous

unread,
Nov 30, 1998, 3:00:00 AM11/30/98
to
Mon, 30 Nov 1998 06:51:26 GMT Imad R. Faiad <irf...@my-dejanews.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Dear Anonymous,
>
>The 2k bits DSS, and for that matter any DSS key larger than 1k bits are
>or may have been rendered pretty useless.
>
>As the SHA1 hash algorithm as used in PGP 6.x.x only support DSS keys up
>to 1k bits.
>
>In the PGP 5.5.3 implementations, PGP used the Double width NIST SHA-1 hash
>algorithm (SHA1x) when the DSS key was larger then 1k bits. SHA1x supports
>DSA signatures up 4k bits.
>According to Mr Phil Zimmerman, and I quote, hoping that he is referring to
>SHA1x:-
>
>"Also, larger DSA keys don't contribute anything unless the hash grows
>bigger with it. That requires selecting a good well-designed bigger hash
>that has been specifically designed to have the full work factor for
>breaking it. Using two SHA1 hashes in that manner has not been adequately
>shown to achieve this result."

Again, thank you for this information. I stand corrected.


>So, given the above, I would assume that NAI must have taken the SHA1x
>code out of PGP 6.x.x.
>
>Hence, authenticating this sub-message with PGP 6.x.x will crash it,
>don't try it, you have been warned. And backup your key rings first,
>if you would like to try it, just in case.

I'm using PGP 5.5.3ckt on top of PGP 6.0.2..........just to be
compatible with those keys out there with nonstandard keysizes.


>I am sure, the PGP programming team, will, in due time, come up with a
>better way of handling this exception.

I hope so. Using one PGP version on top of another is by no
means a solution for compatibility.

A while ago, there was a debate regarding hashing algorithms
here, so there's little point in repeating those things, but
I'd still like to see the strength of PGP signature facilities
pumped up just a little bit. If for no better reason, then
just to feel a bit safer.

Sam Simpson

unread,
Nov 30, 1998, 3:00:00 AM11/30/98
to

> wishing_i...@ca.com wrote in message
<366384a4...@news.scc.net>...
> I know Zimmerman is not a "god". In fact, he didn't even write the
> cryptographic algorithms he used. He just put them togther into a
> software program. Further, all he has is a BS from MIT, not even a
> Masters or Ph.D, or any published articles in respected journals.

>
> But......I believe his even limited credentials add more weight to his
> opinion than the many armchair cryptographers in this NG.

There are actually some quite reasonable cryptographers that read this
group...

> What
> possible value could anyone in this forum gain by using greater than
> 2048 bit keys? I would bet none of you has info that
> important......thus, the "penis size" parallel.
>

Did you even bother reading the message you replied too?

> Just my opinion.......

Sam Simpson
Comms Analyst
-- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk
encryption for Windows 95/98. PGP Keys available at the same site.

On 29 Nov 1998 17:00:10 +0100, Anonymous <nob...@replay.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----


>Hash: SHA1
>
>Sam Simpson <ssim...@hertreg.ac.uk> wrote:
>

>>>>I have always suspected that those using greater than 2048 Bit RSA
>>>>keys were attempting to substitute key size for penis size, but
>>>>lacking a theoretical background in cryptography, I have always kept
>>>>my suspicions to myself. Not any longer........
>>

>>Sounds like *you* need a better background theoretical background in
>>cryptography...

<SNIP>

David Crick

unread,
Dec 2, 1998, 3:00:00 AM12/2/98
to
> In conclusion, I would recommend use of public key at least as
> strong as the conventional cipher used in PGP (which has a keyspace
> of 128 bits) for encryption but not much more, 4096 bits is quite
> adequate, and 2048 bits for signatures.
>
> This should be a nice tradeoff between paranoia and convenience.
>
> Comments, anyone?

Yup. Breaking the 128-bit key of a given message will reveal only
that message. Breaking the RSA key of a message will allow you to
decrypt (and sign) past and future messages also.

Therefore for the truly paranoid, a public key of "greater security"
(ie length) than the secret key would seem to make sense.

Anyone agree? :)

David.

--
+---------------------------------------------------------------------+
| David Crick dac...@mcmail.com http://members.tripod.com/~vidcad/
|
| Damon Hill WC '96 Tribute: http://www.geocities.com/MotorCity/4236/
|
| Brundle Quotes Page: http://members.tripod.com/~vidcad/martin_b.htm
|
| PGP Public Key: (RSA) 0x22D5C7A9 00252D3E4FDECAB3 F9842264F64303EC
|
+---------------------------------------------------------------------+

Ron Heiby

unread,
Dec 3, 1998, 3:00:00 AM12/3/98
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sendn...@this.address wrote:
>I believe you have failed to comprehend the implications of your own
>arguement. Read the following assumptions and the conclusion before
>replying. I have tried to be as clear and simple as possible.

OK. I believe that you have succeeded at being sufficiently clear and
simple to be understandable.

>Assumption: An entity manages to accumelate the computing power to
>break the 128 Bit IDEA cypher, which implies it can break a 3000 Bit
>RSA key, but cannot break anything greater.

That's one HECK of an assumption! In the current PGP documentation, we
find the following:

"Given all of today’s computing power and available time—even a billion
computers doing a billion checks a second—it is not possible to decipher
the
result of strong cryptography before the end of the universe."

This is referring to the sort of encryption used in PGP, and refers to
attempting to break the encryption using a brute force approach. Clearly,
this is saying that your assumption, as related to a brute force approach
at breaking PGP's encryption, is false.

But, we are not finished with your assumption. There are other
cryptographic attack besides brute force. It is possible that there are
one or more such attacks, not generally known in the public crypto
community, that make it possible to decipher IDEA or RSA in substantially
less time than a brute force approach would require. However, my (limited)
understanding of the two algorithms suggests to me that such an attack
would be unlikely to work equally well on both algorithms. So, if there
were a really good attack against IDEA, it might make much more sense to
use it over and over than try to brute force RSA. I believe that this is
where your assumption breaks down completely.

Of course, since we are not aware of any such attacks....

>Conclusion: That entity can break and read ANY message

In any case, since your fundamental assumption has been shown to be false,
you cannot arrive at your stated conclusion via the route you suggested.

QEF

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

Comment: My Keys: 0x571B55BD and 0x628ECED2 available from keyservers

iQA/AwUBNmYj/2asl5Jijs7SEQJLBQCfVoT/taULsnMznuHp/Cf9aVoS0XYAoPUD
i4sAsLQqC457jv/WgbSg+7Q5
=VWRz
-----END PGP SIGNATURE-----

--
Ron.

Anonymous

unread,
Dec 3, 1998, 3:00:00 AM12/3/98
to
Someone from IP 209.32.143.21 wrote:

>I believe you have failed to comprehend the implications of your own
>arguement. Read the following assumptions and the conclusion before
>replying. I have tried to be as clear and simple as possible.
>

>Given: It takes the same amount of work to break the 128 Bit IDEA
>cipher as it does to break a 3000 Bit RSA key.

Caveat: Key EXHAUSTION of 128 bit IDEA cipher vs. FACTORING a 3000
bit RSA key requires, by present knowledge, the same computing power.
However, whereas it's reasonable to assume that provided it has no
weaknesses, keyexhaustion is required to break IDEA, there's nothing
to say that factoring RSA has to be that hard. It's present assumption
that they have equal computational workload to break, but this has
not been proven, and mathematical advances in number theory may well
render the current assumption moot. This can NOT happen to key
*exhaustion*, by definition.


>Assumption: An entity manages to accumelate the computing power to
>break the 128 Bit IDEA cypher, which implies it can break a 3000 Bit
>RSA key, but cannot break anything greater.

Caveat: Well, then, show me an entity that can accumulate the
computing power to break a 128 bit cipher! Key exhaustion is not
feasible simply because the keyspace is way too big. Factoring
a RSA key, OTOH, needn't be that hard, and quite possibly isn't,
since it relies on mathematics instead of simply brute-forcing
every single key.


>Conclusion: That entity can break and read ANY message from the past,
>present or future, since it has the computing power to do so. It
>cannot forge your signature.

Caveat: Read the above....and provided the scenario you present
would come true, they could forge your signature.


>Rule: If you are frantic that that some entity is going to forge your
>signature, should they accumelate the computing power above, use
>greater than 3000 Bits for the RSA key.

Caveat: No. Using 3000 bits RSA key serves no purpose if only
for copatibility reasons. In addition, perceived security of
RSA keys grows slower than DH/ElGamal, so 3000 bit is effectively
weaker than DH key of equal size. PGP supports 4096 bit DH keys,
so using RSA keys above the widely supported base is fairly
pointless except under some special circumstances.


>Caveat: I do not know what 128 Bit IDEA/3000 Bit RSA translates to in
>terms of the DH/DSS standard. For those that know, extrapolate.......

Here's an example. The figures the the left are the asymmetric
key sizes, to the right are the corresponding block cipher key
sizes:

RSA IDEA DH/DSS IDEA

Thomas J. Boschloo

unread,
Dec 3, 1998, 3:00:00 AM12/3/98
to
-----BEGIN PGP SIGNED MESSAGE-----

sendn...@this.address wrote:

> Assumption: An entity manages to accumelate the computing power to
> break the 128 Bit IDEA cypher, which implies it can break a 3000 Bit
> RSA key, but cannot break anything greater.
>

> Conclusion: That entity can break and read ANY message from the past,
> present or future, since it has the computing power to do so. It
> cannot forge your signature.

Breaking a 3000 Bit RSA key means finding the two large prime factors of
the 3000 bit (public) modulus. These two primes are all that is needed
to calculate the whole secret key in a few microseconds. Having the
secret
component of an RSA key implies being able to sign with it [Q.E.D.]

> Caveat: I do not know what 128 Bit IDEA/3000 Bit RSA translates to in
> terms of the DH/DSS standard. For those that know, extrapolate.......

DH/DSS uses two different key. One for signing and one for decrypting,
so that would probably be different.

Voila,
Thomas
-----BEGIN PGP SIGNATURE-----
iQB5AwUBNmZqkwEP2l8iXKAJAQExHAMgg8b7eBMTihbXxvWE5FkfgJCYgKrYCMo8
R9HEJ/iLZParyu1DId/CA8tjZ3V4KQg+vcOValjmzMmmaGjnrHnsc42Jze2s08NT
npsCjZLaxvOlRL1LFgGMwc0EurD6nWQJzjhFFw==
=3dR9
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages