Bill Stewart <stewarts(_at_)ix(_dot_)netcom(_dot_)com> writes:
At 10:50 AM 12/04/1997, Peter Gutmann wrote:
DSS/DSA is only specified for key lengths between 512 and 1024, but OpenPGP
should be free to do longer keys, even though the standard doesn't actually
support them.
There's no point in moving to p > 1K bits if q is only 160 bits because it'll
be vulnerable to a small-exponent attack. Since q is governed by the hash
function associated with DSA, you then need to define a new hash function wit
a larger output block size, and suddenly things get very messy. At the momen
I don't think it's sensible to use keys > 1K bits, all it'll do is lead to
confusion about the amount of security offered.
Also, as I look at PGP key generation again, it does limit the DSA keys to
1024 bits, even when you're doing longer ElGamal. Doesn't necessarily have to
do that, but I didn't find a way to input different behaviour.
To get around this, you could use Elgamal for signatures (although the current
PGP doesn't support this, the code is commented out). I published an Elgamal
profile for X.509 a few months ago (available from RFC draft repositories)
which specifies how to do this and covers various security issues.
Peter.