ietf-openpgp
[Top] [All Lists]

Re: Suggested changes for DSA2

2006-03-29 10:00:11

On Tue, Mar 28, 2006 at 03:50:58PM -0800, "Hal Finney" wrote:
David Shaw wrote:

How about this (presumably for the Security Considerations section):

   As OpenPGP combines many different asymmetric, symmetric, and hash
   algorithms, each with different measures of strength, care should
   be taken that the weakest element of an OpenPGP message is still
   sufficiently strong for the purpose at hand.  Implementations
   receiving messages SHOULD indicate to the user the actual strength
   of the messages.  While consensus about the the strength of a given
   algorithm may evolve, at publication time, NIST Special Publication
   800-57 [SP800-57] recommended the following list of equivalent
   strengths:

       [ put table here ]

I like this general direction, but I don't think it will work to indicate
to users the actual strength of message encryptions or signatures.
There is no convenient way to express this information that will be
understandable to the layman.  We could say that a DSA1 signature has 80
bits of strength, and a 2048 bit RSA encryption using AES-256 has 112 bits
of strength, but that is too technical and also in most cases too much
information.  It's also non-standard practice in crypto implementations
to provide this information, and I don't feel comfortable putting in
a requirement for something this novel, without having experience to
justify it.

I actually think this may well be simpler than what we have now.
Right now GPG says things like "Signature made with 4096-bit RSA key"
and optionally "Hash used was SHA-1" and such.  I don't have a copy of
PGP handy at the moment to check, but I recall it doesn't say either.
Saying something like "This signature is 80 bits strong" would
actually give a single, reasonably accurate number to indicate
relative strength.  I doubt many users can translate "4096 bit RSA
with SHA-1" into a strength value they can compare with other strength
values.

However, you're quite right that it is a large step to make such a
thing a SHOULD without any experience to justify it first.  Certainly
any implementation that wants to experiment down that route can do so
without any special mandate in the standard.

Dropping the notification SHOULD from the change gives this (for the
Security Considerations section):

   As OpenPGP combines many different asymmetric, symmetric, and hash
   algorithms, each with different measures of strength, care should
   be taken that the weakest element of an OpenPGP message is still
   sufficiently strong for the purpose at hand.  While consensus about
   the the strength of a given algorithm may evolve, at publication
   time, NIST Special Publication 800-57 [SP800-57] recommended the
   following list of equivalent strengths:

      [ put table here ]

This is perhaps stating the obvious, but I think still worth
mentioning.

I'm still in favor of making the NIST list a SHOULD for generating
DSA2 keys, of course.

Okay, well, maybe the rest of it is too complex to deal with for now.

Ok.  I'll roll together a change take 4 and send it to the list.

David

<Prev in Thread] Current Thread [Next in Thread>