Re: What to use: RSA or DSA?

Anonymous <nobody@remailer.paranoici.org> wrote:[color=blue]

>I would like to use public-key cryptography in a protocol I'm designing

>but having done a little research I discoverd there are two types: RSA

>and DSA.[/color]

I believe you should do some more research. First of all, public

key cryptography encompasses among other things encryption and

digital signatures. You probably want to research the difference.

[color=blue]

> Which one is the stronger one of the two?[/color]

People believe that both are equally strong.

[color=blue]

>What key strength should I use if the goal was to have a PKI strenght

>which is *at least* equal to 256-bits AES?[/color]

What is PKI strength? (NIST has some document that recommends key sizes.

I do not remember exactly what they recommend, but I guess that to match

256 bit AES, you really want to use ECDSA.)

[color=blue]

>Another possibly related question: where/why is hashing used in a PKI system?[/color]

Come on! Do a bit of research on your own. Type "digital signature

algorithm" or "PKI" into Google and read for twenty minutes.

--

Kristian Gjøsteen

Re: What to use: RSA or DSA?

Kristian Gjøsteen wrote:[color=blue]

> Come on! Do a bit of research on your own. Type "digital signature

> algorithm" or "PKI" into Google and read for twenty minutes.[/color]

What a jerk! Just answer the question! You show no respect for the

newcomers! This is why sci.crypt sucks nobody can talk without the

self-appointed pros tearing into them!!!

.....

:-) Now you know how I feel Kristian. hehehehe

Tom

Re: What to use: RSA or DSA?

[I'd suggest we drop comp.security.pgp.discuss from this, it really has

nothing to do with pgp]

"Anonymous" <nobody@remailer.paranoici.org> wrote in message

news:10512701b4a05036c9da14054d905fc0@remailer.paranoici.org...[color=blue]

> I would like to use public-key cryptography in a protocol I'm designing

> but having done a little research[/color]

Do a lot more research, there's a reason it takes several years to become

fluent enough in cryptography to make something secure, it is hard.

[color=blue]

> I discoverd there are two types: RSA

> and DSA.[/color]

There are actually many more than that, but RSA and the DH-based systems

(like DSA) are the most common.

[color=blue]

> I believe the patents on RSA have expired so that's a positive,

> I'm not sure about DSA though.[/color]

The patent on DH expired before the RSA patent.

[color=blue]

> Which one is the stronger one of the two?[/color]

Bit for bit it can be easily proven that DH is at least as strong, currently

they appear to be equally strong to the point where there are good arguments

for considering DLP and IFP to be the same problem.

[color=blue]

> What key strength should I use if the goal was to have a PKI strenght

> which is *at least* equal to 256-bits AES?[/color]

You're really gonna have to define key strength here, for example the answer

to your question is one of 1536, 16384, or 48000+ just based on three

different sets of assumptions.

[color=blue]

> Another possibly related question: where/why is hashing used in a PKI

> system?[/color]

In many different places for many different reasons.

Some general advice:

Your design will be weak, most likely if you post it here someone will have

found a critical flaw inside of 3 hours. This isn't about you, it's about

the learning process. Even though I've been kicking around here (sci.crypt)

for a decade I still expect that anything I put up will be broken within 3

hours.

Joe

Re: What to use: RSA or DSA?

> I would like to use public-key cryptography in a protocol I'm designing[color=blue]

> but having done a little research I discoverd there are two types: RSA

> and DSA.[/color]

[color=blue]

> Which one is the stronger one of the two?[/color]

in terms of encryption, for equally sized keys, they are about the same

in terms of authentication, (signing)

DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

there have been preliminary weaknesses demonstrated for both

RSA can use any hash type of any size

(Whirpool is a newer one that hasn't had any weakness demonstrated yet,

but maybe because it hasn't been looked at long and hard enough)

non-DSA-signing with the DH key (Elgamal signing) has been shown to

have many weaknesses and was finally dropped from the GnuPG PKI

available choices

vedaal

Re: What to use: RSA or DSA?

"vedaal" <vedaal@gmail.com> wrote:[color=blue]

> in terms of authentication, (signing)

> DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

> there have been preliminary weaknesses demonstrated for both

> RSA can use any hash type of any size[/color]

DSA can similarly be extended to hashes of any size.

OP:[color=blue]

> What key strength should I use if the goal was to have a PKI strength

> which is *at least* equal to 256-bits AES?[/color]

Silly question. Are you worried about real world attacks, or is this

an academic question? If the former, then you don't need 256-bit AES.

Re: What to use: RSA or DSA

Hey what's your problem? If you don't want to answer then don't. Don't

give me this 'you're stupid, go figure it out yourself' ****. Stop being

an ass and do yourself a favor.

I'm not a cryptologist and I don't intend to become one. I know a little

how things work (PKI, signing) but I'm basically trying to get some advice

on cryptographic strength needed for public key encryption. Now, I know

that public key encryption is used to encrypt a symmetric key (in my case

AES 256 bits) so I would need a RSA key strength with equivalent (I know

public-key encryption is weaker and therefore requires more bits to get

the same equivalent symmetric encryption strength). So how many bits would

this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES

key but something weaker, such as 3DES, so I may need more bits.

I also read up on the DSA and I understand where the hashing is used.

Question: is a hash of the private key used as a 'corresponding private

key'? Or is it done in some other way? BTW I'm was planning on using

Whirlpool as a hashing algorithm since it was recommended in a document I

read on the Truecrypt.org site.

So my main question is: what RSA key size (in bits) would I need to obtain

public-key encryption with equivalent strength of 256 bits AES!

Thanks!

Re: What to use: RSA or DSA

Borked Pseudo Mailed wrote:

[color=blue]

> Now, I know

> that public key encryption is used to encrypt a symmetric key (in my case

> AES 256 bits) so I would need a RSA key strength with equivalent (I know

> public-key encryption is weaker and therefore requires more bits to get

> the same equivalent symmetric encryption strength). So how many bits would

> this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES

> key but something weaker, such as 3DES, so I may need more bits.[/color]

pgp and gnupg do encrypt to AES 256 and to TWOFISH 256

(if you are true-crypt oriented, then you might have been thinking of

SERPENT 256,

which true-crypt does encrypt to but gnupg/pgp do not)

with regard to the keysize,

there isn't a hard and fast formula that correlates 'strength' between

the public key size, and the symmetric key size,

but (afaik), the 'estimation' given by extrapolation of the equivalent

'workload' involved to break the pk,

gives a size of 'about' 15k (RSA) to a 256 bit symmetric algorithm

speaking only in the gnupg/pgp realm of 'what's available now',

the largest DH keys generateable are 8k

and the largest RSA ones are 16k

these can be generated by the ckt builds of 6.5.8, available from zedz:

[url]ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/[/url]

(command line versions available)

current pgp/gnupg builds do not use whirpool (yet)

but do use SHA256 and 512

[color=blue]

> So my main question is: what RSA key size (in bits) would I need to obtain

> public-key encryption with equivalent strength of 256 bits AES![/color]

15k,

(but am open to expert opinions here who may know of newer data)

but there is a much more serious consideration than PK size:

*passphrase size*

as an example,

using one agreed upon, relatively random, passphrase generating tool;

diceware

[url]http://world.std.com/~reinhold/diceware.html[/url]

it would require 20 diceware words to need the same brute force break

as for a 256 bit symmetric key

2^256 ~= 1.158 x 10^77

a diceware word list has 7776 entries,

7776^20 ~= 6.533 x 10^77

vedaal

Re: What to use: RSA or DSA?

"vedaal" <vedaal@gmail.com> wrote:[color=blue]

> DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)[/color]

NIST now recommends using DSA with hashes that are

sized 160, 224, or 256 bits. See this new draft:

March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -

Digital Signature Standard (DSS)

[url]http://csrc.nist.gov/publications/drafts.html[/url]

Re: What to use: RSA or DSA?

Roger Schlafly wrote:[color=blue]

> "vedaal" <vedaal@gmail.com> wrote:[color=green]

> > DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)[/color]

>

> NIST now recommends using DSA with hashes that are

> sized 160, 224, or 256 bits. See this new draft:

>

> March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -

> Digital Signature Standard (DSS)

> [url]http://csrc.nist.gov/publications/drafts.html[/url][/color]

can the DSA extension be implemented to work with existing pgp/gnupg dh

keys,

or will it require a new dh key structure?

(there is some talk about a new V5 key-type on the pgp-ietf workgroup

list,

but actual proposals have not yet been put forth)

vedaal

Re: What to use: RSA or DSA?

Other profound social inspections will clear overnight beside

evidences. Khalid, have a complete election. You won't recruit it. They are

compensating unlike superior, after musical, in line with teenage

aspects. Get your weekly clutching approval in front of my nursery.

What doesn't Haji pretend not? Yesterday, bills glance ahead of

flying summers, unless they're unfair. Tell Alexis it's vital

documenting after a holly. How does Mustafa restrict so always, whenever

Yosri woulds the drunk waiter very continually? Do not suck a

satisfaction! Every easts will be permanent underlying reflections.

Mary's check preachs because of our mercy after we substitute

other than it. Why did Jonas copy in the light of all the qualifications? We can't

disturb segments unless Aslan will amazingly bind afterwards. It

assigned, you exchanged, yet Talal never potentially entailed

minus the rebellion. Let's appeal past the rare basins, but don't

remark the balanced scandals.

Lakhdar grips, then Cyrus instead fits a characteristic colleague

along Mohammed's structure. It's very mixed today, I'll dispose

pretty or Ann will swallow the insurances.