Understanding subkeys and multiple IDs (or, @#$%!) - PGP

This is a discussion on Understanding subkeys and multiple IDs (or, @#$%!) - PGP ; Okay. So I have a key pair that I created a few days ago. I entered 4096-bit encryption. Today, I pulled up the key pair's properties dialog. On the General tab, I see this: ID: 0xB1ABD77C Type: DH/DSS Size: 4096/1024 ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Understanding subkeys and multiple IDs (or, @#$%!)

  1. Understanding subkeys and multiple IDs (or, @#$%!)

    Okay. So I have a key pair that I created a few days ago. I entered
    4096-bit encryption. Today, I pulled up the key pair's properties
    dialog. On the General tab, I see this:

    ID: 0xB1ABD77C
    Type: DH/DSS
    Size: 4096/1024
    Cipher: AES-256

    Fingerprint: D942 4065 379A 6086 5FF3 9098 DFC5 978C B1AB D77C

    I click on the Subkeys tab and see one entry:

    Valid from: 10/29/03
    Expires: Never
    Size: 4096

    Okay.

    I click on the little question mark icon at the top of the dialog and
    click on Size (in the General tab), and it says: "The key's size in
    bits. [...] If the key size is RSA or [DH]/DSS, two numbers appear. The
    first number is the size of the master key size [sic]; the second number
    is the size of the first subkey." So according to this, the _second_
    number (1024) is the size my (sole) subkey. Then what of the Size number
    on the Subkeys tab (which says 4096)? Exactly what is 4096 bits and what
    is 1024 bits? (Please, simple language for the barely-initiated.)

    Also, what the purpose of adding extra names to my key pairs? According
    to my brief experience, when you retrieve someone's key information
    (like when verifying a signature), _all_ of a user's names are retrieved
    too. Do I have to create a brand new key pair if I want to use a second
    identity for anonymous online operations? I don't want my personal name
    and e-mail address made public like that. What are the differences
    between adding names to a key pair and adding subkeys (which are _what_
    again?).

    I hope this is clear. Many thanks!
    --
    J44xm

  2. Re: Understanding subkeys and multiple IDs (or, @#$%!)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "J44xm" wrote in message
    news:Xns9425A267586A0j44xm@216.196.97.129...
    > Okay. So I have a key pair that I created a few days ago. I entered
    > 4096-bit encryption. Today, I pulled up the key pair's properties
    > dialog. On the General tab, I see this:
    >
    > ID: 0xB1ABD77C
    > Type: DH/DSS
    > Size: 4096/1024

    [snip]
    > Exactly what is 4096 bits and what
    > is 1024 bits? (Please, simple language for the barely-initiated.)
    >


    DSS = you sign with 1024 bit key
    DH = you encrypt/decrypt with 4096 bit key

    > Also, what the purpose of adding extra names to my key pairs?
    > According to my brief experience, when you retrieve someone's key
    > information (like when verifying a signature), _all_ of a user's
    > names are retrieved too. Do I have to create a brand new key pair
    > if I want to use a second identity for anonymous online
    > operations?


    Look at my key. It has email that I *want* people to associate with
    "richard hunt". Except for the former employer, which should display
    as a revoked user-id. And a former ISP which will soon have revoked
    status.

    If I wanted a pseudonym that wasn't associated with "richard hunt",
    then I would create a second key, and be very careful which one I
    signed posts or messages with. :-)

    > I don't want my personal name
    > and e-mail address made public like that.


    OK... but the usefulness of PGP to ordinary people goes UP if the
    email ID's on a key are good. (in my opinion, of course)

    > What are the differences
    > between adding names to a key pair and adding subkeys (which are
    > _what_ again?).
    >


    I don't have a real good handle on *why* to use subkeys either. :-)

    Richard

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBP6MFg555AOjdVgeLEQLWlwCgxv2DnhEyDWA0wHIzAOjxLl HCL1UAoO54
    rFEy/6602NffVYh3vuaJ+4Vj
    =nnpJ
    -----END PGP SIGNATURE-----



  3. Re: Understanding subkeys and multiple IDs (or, @#$%!)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Richard Hunt wrote:

    > "J44xm" wrote in message
    > news:Xns9425A267586A0j44xm@216.196.97.129...


    >> What are the differences between adding names to a key pair and
    >> adding subkeys (which are _what_ again?).

    >
    > I don't have a real good handle on *why* to use subkeys either.


    Individuals typically don't have a need to work with subkeys. A
    commercial entity might use expiring subkeys for encryption so that if
    there is a private key compromise, the attacker will only be able to
    decrypt information from a limited period of time.

    However, an individual may have a need...

    Let's say you want to use PGP away from home. You want your contacts,
    both personal and professional to know you by the same keyid, yet you
    don't want your private key exposed to the increased risk of
    compromise at work (PC's you don't control, many people looking over
    shoulder, hackers on the LAN, etc). The solution is to disable your
    primary signing key and add signing and encryption subkeys for your
    key to be used at work. This way, your messages would be associated
    with your primary keyid regardless of which key you used to sign with
    (depending on where you were composing from). If your passphrase was
    compromised, your personal information would not be at risk because
    the only copy of your private key available to an attacker at work has
    different encryption and signing keys than your complete key at home.
    If you became aware that your passphrase had been compromised at work,
    you could then change your passphrase at home (you do periodically,
    anyway, right?!) and restore your two-step protection (something you
    have - your private key, and something you know - your passphrase).


    - --
    Mike Daigle http://mdaigle.webhop.info/
    Request-PGP http://mdaigle.webhop.info/trust/keys/BB539A1C.asc


    -----BEGIN PGP SIGNATURE-----
    Comment: Gossamer Spider Web of Trust - http://gswot.webhop.info

    iD8DBQE/oxzU5MyrnbtTmhwRAqV1AJ9fku5YvVOxyktd0Xqm6LS7PhPR0g CfQ/Vk
    Hkq8/CaRPEYtRMxGsWleqLQ=
    =6Mpb
    -----END PGP SIGNATURE-----


  4. Re: Understanding subkeys and multiple IDs (or, @#$%!)

    Michael Daigle writes:

    > Individuals typically don't have a need to work with subkeys.


    The v4 RSA key pair I generated for myself appears to _require_ at least
    one subkey for encryption ... no?

    --
    Transpose hotmail and mxsmanic in my e-mail address to reach me directly.

+ Reply to Thread