What to use: RSA or DSA?  PGP
This is a discussion on What to use: RSA or DSA?  PGP ; Hi,
I would like to use publickey cryptography in a protocol I'm designing
but having done a little research I discoverd there are two types: RSA
and DSA. I believe the patents on RSA have expired so that's a positive,
...

What to use: RSA or DSA?
Hi,
I would like to use publickey cryptography in a protocol I'm designing
but having done a little research I discoverd there are two types: RSA
and DSA. I believe the patents on RSA have expired so that's a positive,
I'm not sure about DSA though. Which one is the stronger one of the two?
What key strength should I use if the goal was to have a PKI strenght
which is *at least* equal to 256bits AES?
Another possibly related question: where/why is hashing used in a PKI system?
Thank you for your response!

Re: What to use: RSA or DSA?
Anonymous wrote:
>I would like to use publickey cryptography in a protocol I'm designing
>but having done a little research I discoverd there are two types: RSA
>and DSA.
I believe you should do some more research. First of all, public
key cryptography encompasses among other things encryption and
digital signatures. You probably want to research the difference.
> Which one is the stronger one of the two?
People believe that both are equally strong.
>What key strength should I use if the goal was to have a PKI strenght
>which is *at least* equal to 256bits AES?
What is PKI strength? (NIST has some document that recommends key sizes.
I do not remember exactly what they recommend, but I guess that to match
256 bit AES, you really want to use ECDSA.)
>Another possibly related question: where/why is hashing used in a PKI system?
Come on! Do a bit of research on your own. Type "digital signature
algorithm" or "PKI" into Google and read for twenty minutes.

Kristian Gjøsteen

Re: What to use: RSA or DSA?
Kristian Gjøsteen wrote:
> Come on! Do a bit of research on your own. Type "digital signature
> algorithm" or "PKI" into Google and read for twenty minutes.
What a jerk! Just answer the question! You show no respect for the
newcomers! This is why sci.crypt sucks nobody can talk without the
selfappointed pros tearing into them!!!
.....
:) Now you know how I feel Kristian. hehehehe
Tom

Re: What to use: RSA or DSA?
[I'd suggest we drop comp.security.pgp.discuss from this, it really has
nothing to do with pgp]
"Anonymous" wrote in message
news:10512701b4a05036c9da14054d905fc0@remailer.par anoici.org...
> I would like to use publickey cryptography in a protocol I'm designing
> but having done a little research
Do a lot more research, there's a reason it takes several years to become
fluent enough in cryptography to make something secure, it is hard.
> I discoverd there are two types: RSA
> and DSA.
There are actually many more than that, but RSA and the DHbased systems
(like DSA) are the most common.
> I believe the patents on RSA have expired so that's a positive,
> I'm not sure about DSA though.
The patent on DH expired before the RSA patent.
> Which one is the stronger one of the two?
Bit for bit it can be easily proven that DH is at least as strong, currently
they appear to be equally strong to the point where there are good arguments
for considering DLP and IFP to be the same problem.
> What key strength should I use if the goal was to have a PKI strenght
> which is *at least* equal to 256bits AES?
You're really gonna have to define key strength here, for example the answer
to your question is one of 1536, 16384, or 48000+ just based on three
different sets of assumptions.
> Another possibly related question: where/why is hashing used in a PKI
> system?
In many different places for many different reasons.
Some general advice:
Your design will be weak, most likely if you post it here someone will have
found a critical flaw inside of 3 hours. This isn't about you, it's about
the learning process. Even though I've been kicking around here (sci.crypt)
for a decade I still expect that anything I put up will be broken within 3
hours.
Joe

Re: What to use: RSA or DSA?
> I would like to use publickey cryptography in a protocol I'm designing
> but having done a little research I discoverd there are two types: RSA
> and DSA.
> Which one is the stronger one of the two?
in terms of encryption, for equally sized keys, they are about the same
in terms of authentication, (signing)
DSA is limited to 160 bit hashes (SHA1 or RIPEMD160)
there have been preliminary weaknesses demonstrated for both
RSA can use any hash type of any size
(Whirpool is a newer one that hasn't had any weakness demonstrated yet,
but maybe because it hasn't been looked at long and hard enough)
nonDSAsigning with the DH key (Elgamal signing) has been shown to
have many weaknesses and was finally dropped from the GnuPG PKI
available choices
vedaal

Re: What to use: RSA or DSA?
"vedaal" wrote:
> in terms of authentication, (signing)
> DSA is limited to 160 bit hashes (SHA1 or RIPEMD160)
> there have been preliminary weaknesses demonstrated for both
> RSA can use any hash type of any size
DSA can similarly be extended to hashes of any size.
OP:
> What key strength should I use if the goal was to have a PKI strength
> which is *at least* equal to 256bits AES?
Silly question. Are you worried about real world attacks, or is this
an academic question? If the former, then you don't need 256bit AES.

Re: What to use: RSA or DSA
Hey what's your problem? If you don't want to answer then don't. Don't
give me this 'you're stupid, go figure it out yourself' ****. Stop being
an ass and do yourself a favor.
I'm not a cryptologist and I don't intend to become one. I know a little
how things work (PKI, signing) but I'm basically trying to get some advice
on cryptographic strength needed for public key encryption. Now, I know
that public key encryption is used to encrypt a symmetric key (in my case
AES 256 bits) so I would need a RSA key strength with equivalent (I know
publickey encryption is weaker and therefore requires more bits to get
the same equivalent symmetric encryption strength). So how many bits would
this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
key but something weaker, such as 3DES, so I may need more bits.
I also read up on the DSA and I understand where the hashing is used.
Question: is a hash of the private key used as a 'corresponding private
key'? Or is it done in some other way? BTW I'm was planning on using
Whirlpool as a hashing algorithm since it was recommended in a document I
read on the Truecrypt.org site.
So my main question is: what RSA key size (in bits) would I need to obtain
publickey encryption with equivalent strength of 256 bits AES!
Thanks!

Re: What to use: RSA or DSA
Borked Pseudo Mailed wrote:
> Now, I know
> that public key encryption is used to encrypt a symmetric key (in my case
> AES 256 bits) so I would need a RSA key strength with equivalent (I know
> publickey encryption is weaker and therefore requires more bits to get
> the same equivalent symmetric encryption strength). So how many bits would
> this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
> key but something weaker, such as 3DES, so I may need more bits.
pgp and gnupg do encrypt to AES 256 and to TWOFISH 256
(if you are truecrypt oriented, then you might have been thinking of
SERPENT 256,
which truecrypt does encrypt to but gnupg/pgp do not)
with regard to the keysize,
there isn't a hard and fast formula that correlates 'strength' between
the public key size, and the symmetric key size,
but (afaik), the 'estimation' given by extrapolation of the equivalent
'workload' involved to break the pk,
gives a size of 'about' 15k (RSA) to a 256 bit symmetric algorithm
speaking only in the gnupg/pgp realm of 'what's available now',
the largest DH keys generateable are 8k
and the largest RSA ones are 16k
these can be generated by the ckt builds of 6.5.8, available from zedz:
ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/
(command line versions available)
current pgp/gnupg builds do not use whirpool (yet)
but do use SHA256 and 512
> So my main question is: what RSA key size (in bits) would I need to obtain
> publickey encryption with equivalent strength of 256 bits AES!
15k,
(but am open to expert opinions here who may know of newer data)
but there is a much more serious consideration than PK size:
*passphrase size*
as an example,
using one agreed upon, relatively random, passphrase generating tool;
diceware
http://world.std.com/~reinhold/diceware.html
it would require 20 diceware words to need the same brute force break
as for a 256 bit symmetric key
2^256 ~= 1.158 x 10^77
a diceware word list has 7776 entries,
7776^20 ~= 6.533 x 10^77
vedaal

Re: What to use: RSA or DSA?
"vedaal" wrote:
> DSA is limited to 160 bit hashes (SHA1 or RIPEMD160)
NIST now recommends using DSA with hashes that are
sized 160, 224, or 256 bits. See this new draft:
March 13, 2006: Draft Federal Information Processing Standard (FIPS) 1863 
Digital Signature Standard (DSS)
http://csrc.nist.gov/publications/drafts.html

Re: What to use: RSA or DSA?
Roger Schlafly wrote:
> "vedaal" wrote:
> > DSA is limited to 160 bit hashes (SHA1 or RIPEMD160)
>
> NIST now recommends using DSA with hashes that are
> sized 160, 224, or 256 bits. See this new draft:
>
> March 13, 2006: Draft Federal Information Processing Standard (FIPS) 1863 
> Digital Signature Standard (DSS)
> http://csrc.nist.gov/publications/drafts.html
can the DSA extension be implemented to work with existing pgp/gnupg dh
keys,
or will it require a new dh key structure?
(there is some talk about a new V5 keytype on the pgpietf workgroup
list,
but actual proposals have not yet been put forth)
vedaal

Re: What to use: RSA or DSA?
Other profound social inspections will clear overnight beside
evidences. Khalid, have a complete election. You won't recruit it. They are
compensating unlike superior, after musical, in line with teenage
aspects. Get your weekly clutching approval in front of my nursery.
What doesn't Haji pretend not? Yesterday, bills glance ahead of
flying summers, unless they're unfair. Tell Alexis it's vital
documenting after a holly. How does Mustafa restrict so always, whenever
Yosri woulds the drunk waiter very continually? Do not suck a
satisfaction! Every easts will be permanent underlying reflections.
Mary's check preachs because of our mercy after we substitute
other than it. Why did Jonas copy in the light of all the qualifications? We can't
disturb segments unless Aslan will amazingly bind afterwards. It
assigned, you exchanged, yet Talal never potentially entailed
minus the rebellion. Let's appeal past the rare basins, but don't
remark the balanced scandals.
Lakhdar grips, then Cyrus instead fits a characteristic colleague
along Mohammed's structure. It's very mixed today, I'll dispose
pretty or Ann will swallow the insurances.