DSA, El Gamal, or RSA? SHA-256, or SHA-512? At minimum or at maximum strength?

6 Antworten [Letzter Beitrag]
ADFENO
Offline
Beigetreten: 12/31/2012

First I would like to apologize for the long topic subject. Second, for those who have my public key added to their keyrings, I'm thinking about changing keys.

Well, to make it short: Which one is the most secure in each case?

– DSA for signing with El Gamal for encrypting, or RSA for both?
– SHA-256 or SHA-512?
– At which strength?

Now for the confusing part which led me to create this topic:

First, sorry for referencing non-free content.

There's an old post [1] on a blog for GNU+Linux Debian administrators which informs about a serious attack against SHA-1, and the author suggests that, besides using a stronger SHA, one should use RSA keys.

However, there's a topic [2] on Linux Forums, where a user called JustinT explains his studies about such subject and also suggests an article written by himself (it's really long, it even has two parts, but I read it, :D)

JustinT suggests to use DSA for signing with El Gamal for encryption, and he suggests to use DSA with SHA-256 at a minimum. What can this “minimum” mean? Does it mean to chose the shortest/smallest strength?

Anyway, what do you think?

[1] https://www.debian-administration.org/users/dkg/weblog/48
[2] http://www.linuxforums.org/forum/security/3515-rsa-versus-dsa.html

Best regards, ADFENO.
Have a nice day.

G4JC
Offline
Beigetreten: 03/11/2012

Lately I don't trust RSA too much...
https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust

I think by SHA-256 as a minimum he means you should go higher. SHA-512 is pretty fair :P

Michał Masłowski

I am a member!

I am a translator!

Offline
Beigetreten: 05/15/2010

RSA for both or separate RSA subkeys for signing and for encryption.
SHA-512 is safer than SHA-256, while it's slower and has twice bigger
hashes (not an issue for signatures: RSA already needs big signatures).

DSA is less popular, more complex and usually needs randomness for
signing. If multiple signatures are made with bad randomness, an attack
can recover the private key from it: it's bad and not possible with RSA.

DSA is usually used with 1024 bit keys, these are weak. RSA with 4096
bit keys or larger might be safe enough for near future.

("RSA" here refers to the algorithm, not the insecure company.)

lloydsmart

I am a member!

Offline
Beigetreten: 12/22/2012

I like DSA, and definitely El-Gamal for encryption.

I wasn't aware of the entropy problem with DSA, but it doesn't affect me as I have an external source of entropy.

If you're worried about it, I can recommend this product:

http://www.entropykey.co.uk/

It has completely free drivers that are included in Debian and Trisquel.

ADFENO
Offline
Beigetreten: 12/31/2012

First, I'm sorry for reviving a topic, but this is really important.

I sent an email to Justin (actually, I sent two, but one was in Brazilian Portuguese, so he didn't understand it). Here follows my email:

== Start of email sent ==
Hi Justin,

Sorry if my last email seemed hard to understand, perhaps it's because I wrote it in Brazilian Portuguese. However, if you don't remember receiving an email sent by me, then just forget about this paragraph.

You can answer this email in English if you want.

OK, let me introduce myself: I'm a free software and free culture enthusiast, who also values privacy and security.

I must say that your article about the 128 and 256 bit keys [1] is very interesting, and also, your comment on a topic in the Linux Forums [2] makes me think more and more about this subject.

Because of this, I brought the question to my mates from the GNU+Linux-libre Trisquel project [3], but the questions haven't been answered.

And so I bring the questions to you: Which one is the most secure in each case?

– DSA for signing with El Gamal for encrypting, or RSA for both?
– SHA-256 or SHA-512? Or other hash algorithm (in this case, which one)?
– At which strength (for example: 4096 bits)? Is the maximum strength recommended/safe?

[1] http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Ideal-to-Realized-Security-Assurance-Cryptographic-Keys-Part1.html
[2] http://www.linuxforums.org/forum/security/3515-rsa-versus-dsa.html
[3] https://trisquel.info/en/forum/dsa-el-gamal-or-rsa-sha-256-or-sha-512-minimum-or-maximum-strength

Best regards, ADFENO.
Have a nice day.
== End of email sent ==

One day later, he replied with the following email (which was adapted by me for enhanced readability):

== Start of email received ==
Boa noite, Adfeno!
Desculpe ... eu falo Português mais ou menos, but I will carry on with English if that's okay,

[Here, Justin talks about some “almost” personal information about him, so I'll just suppress it.]

As far as DSA/Elgamal vs RSA, I'd recommend this post from Thomas Pornin: http://crypto.stackexchange.com/a/1679 (I trust his judgment, and he points out a lot of the architectural issues that might be more tangible than the security differences.) Security-wise, I'd not be too worried about using either configuration.

As for SHA-256 vs. SHA-512 -- I'd say you should be secure with either. I don't know of any attacks that would cause one to choose one over another, from a practical security standpoint. I've sometimes seen people use SHA-512, and then truncate to 256 bits, if that's all they need. However, you'll not really notice a security difference between the two, in the real world. There's a good discussion of that here: http://crypto.stackexchange.com/a/3156

Nowadays, if you can afford 4096-bit keys, that's a good choice; at the very least, 2048, but it's hard to say if that's even considered conservative right now.

I hope this helps! Feel free to e-mail me anytime and I'll do my best to respond as quickly as possible. If you're on Twitter, I partake in a lot of discussions there (@justintroutman).

Best regards,
Justin
== End of email received ==

Well, looks like we have gathered some good source of information which can help us decide how to make our next key pairs. It's also important to note what lloydsmart said: “I wasn't aware of the entropy problem with DSA, but it doesn't affect me as I have an external source of entropy”.

Best regards, ADFENO.
Have a nice day.

andrew
Offline
Beigetreten: 04/19/2012

I believe it will *eventually* be recommended that GnuPG users switch to
ECC keys in the coming years, rather than RSA/DSA/ElGamal.

A 15360-bit RSA key should have roughly the same strength as a 521-bit
ECC key.

ECC will be supported in GnuPG 2.2 (current release is 2.0.22).

Andrew.

G4JC
Offline
Beigetreten: 03/11/2012

The only concern here is...
"We do not -- at least not yet -- but I strongly believe that the NSA has a significant advantage in breaking ECC. This doesn't mean it's bad, but I think we need to 1) make sure we know where our curves come from, and 2) build in a hefty security margin."

"Prefer symmetric cryptography over public-key cryptography."
- Bruce Schneier
https://www.schneier.com/blog/archives/2013/11/elliptic_curve.html
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html