Anonymous wrote:
>I would like to use public-key cryptography in a protocol I'm designing
>but having done a little research I discoverd there are two types: RSA
>and DSA.

I believe you should do some more research. First of all, public
key cryptography encompasses among other things encryption and
digital signatures. You probably want to research the difference.

> Which one is the stronger one of the two?

People believe that both are equally strong.

>What key strength should I use if the goal was to have a PKI strenght
>which is *at least* equal to 256-bits AES?

What is PKI strength? (NIST has some document that recommends key sizes.
I do not remember exactly what they recommend, but I guess that to match
256 bit AES, you really want to use ECDSA.)

>Another possibly related question: where/why is hashing used in a PKI system?

Come on! Do a bit of research on your own. Type "digital signature
algorithm" or "PKI" into Google and read for twenty minutes.

--
Kristian Gjøsteen

Kristian Gjøsteen wrote:
> Come on! Do a bit of research on your own. Type "digital signature
> algorithm" or "PKI" into Google and read for twenty minutes.

What a jerk! Just answer the question! You show no respect for the
newcomers! This is why sci.crypt sucks nobody can talk without the
self-appointed pros tearing into them!!!


.....


:-) Now you know how I feel Kristian. hehehehe

Tom

[I'd suggest we drop comp.security.pgp.discuss from this, it really has
nothing to do with pgp]

"Anonymous" wrote in message
news:10512701b4a05036c9da14054d905fc0@remailer.par anoici.org...
> I would like to use public-key cryptography in a protocol I'm designing
> but having done a little research

Do a lot more research, there's a reason it takes several years to become
fluent enough in cryptography to make something secure, it is hard.

> I discoverd there are two types: RSA
> and DSA.

There are actually many more than that, but RSA and the DH-based systems
(like DSA) are the most common.

> I believe the patents on RSA have expired so that's a positive,
> I'm not sure about DSA though.

The patent on DH expired before the RSA patent.

> Which one is the stronger one of the two?

Bit for bit it can be easily proven that DH is at least as strong, currently
they appear to be equally strong to the point where there are good arguments
for considering DLP and IFP to be the same problem.

> What key strength should I use if the goal was to have a PKI strenght
> which is *at least* equal to 256-bits AES?

You're really gonna have to define key strength here, for example the answer
to your question is one of 1536, 16384, or 48000+ just based on three
different sets of assumptions.

> Another possibly related question: where/why is hashing used in a PKI
> system?

In many different places for many different reasons.

Some general advice:
Your design will be weak, most likely if you post it here someone will have
found a critical flaw inside of 3 hours. This isn't about you, it's about
the learning process. Even though I've been kicking around here (sci.crypt)
for a decade I still expect that anything I put up will be broken within 3
hours.
Joe

> I would like to use public-key cryptography in a protocol I'm designing
> but having done a little research I discoverd there are two types: RSA
> and DSA.

> Which one is the stronger one of the two?

in terms of encryption, for equally sized keys, they are about the same

in terms of authentication, (signing)
DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

there have been preliminary weaknesses demonstrated for both

RSA can use any hash type of any size
(Whirpool is a newer one that hasn't had any weakness demonstrated yet,
but maybe because it hasn't been looked at long and hard enough)

non-DSA-signing with the DH key (Elgamal signing) has been shown to
have many weaknesses and was finally dropped from the GnuPG PKI
available choices


vedaal

"vedaal" wrote:
> in terms of authentication, (signing)
> DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)
> there have been preliminary weaknesses demonstrated for both
> RSA can use any hash type of any size

DSA can similarly be extended to hashes of any size.

OP:
> What key strength should I use if the goal was to have a PKI strength
> which is *at least* equal to 256-bits AES?

Silly question. Are you worried about real world attacks, or is this
an academic question? If the former, then you don't need 256-bit AES.

Hey what's your problem? If you don't want to answer then don't. Don't
give me this 'you're stupid, go figure it out yourself' ****. Stop being
an ass and do yourself a favor.

I'm not a cryptologist and I don't intend to become one. I know a little
how things work (PKI, signing) but I'm basically trying to get some advice
on cryptographic strength needed for public key encryption. Now, I know
that public key encryption is used to encrypt a symmetric key (in my case
AES 256 bits) so I would need a RSA key strength with equivalent (I know
public-key encryption is weaker and therefore requires more bits to get
the same equivalent symmetric encryption strength). So how many bits would
this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
key but something weaker, such as 3DES, so I may need more bits.

I also read up on the DSA and I understand where the hashing is used.
Question: is a hash of the private key used as a 'corresponding private
key'? Or is it done in some other way? BTW I'm was planning on using
Whirlpool as a hashing algorithm since it was recommended in a document I
read on the Truecrypt.org site.

So my main question is: what RSA key size (in bits) would I need to obtain
public-key encryption with equivalent strength of 256 bits AES!

Thanks!

Borked Pseudo Mailed wrote:

> Now, I know
> that public key encryption is used to encrypt a symmetric key (in my case
> AES 256 bits) so I would need a RSA key strength with equivalent (I know
> public-key encryption is weaker and therefore requires more bits to get
> the same equivalent symmetric encryption strength). So how many bits would
> this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
> key but something weaker, such as 3DES, so I may need more bits.

pgp and gnupg do encrypt to AES 256 and to TWOFISH 256
(if you are true-crypt oriented, then you might have been thinking of
SERPENT 256,
which true-crypt does encrypt to but gnupg/pgp do not)

with regard to the keysize,
there isn't a hard and fast formula that correlates 'strength' between
the public key size, and the symmetric key size,

but (afaik), the 'estimation' given by extrapolation of the equivalent
'workload' involved to break the pk,
gives a size of 'about' 15k (RSA) to a 256 bit symmetric algorithm


speaking only in the gnupg/pgp realm of 'what's available now',

the largest DH keys generateable are 8k
and the largest RSA ones are 16k

these can be generated by the ckt builds of 6.5.8, available from zedz:
ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/
(command line versions available)

current pgp/gnupg builds do not use whirpool (yet)
but do use SHA256 and 512

> So my main question is: what RSA key size (in bits) would I need to obtain
> public-key encryption with equivalent strength of 256 bits AES!

15k,
(but am open to expert opinions here who may know of newer data)

but there is a much more serious consideration than PK size:
*passphrase size*

as an example,
using one agreed upon, relatively random, passphrase generating tool;
diceware
http://world.std.com/~reinhold/diceware.html

it would require 20 diceware words to need the same brute force break
as for a 256 bit symmetric key

2^256 ~= 1.158 x 10^77

a diceware word list has 7776 entries,

7776^20 ~= 6.533 x 10^77


vedaal

"vedaal" wrote:
> DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

NIST now recommends using DSA with hashes that are
sized 160, 224, or 256 bits. See this new draft:

March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -
Digital Signature Standard (DSS)
http://csrc.nist.gov/publications/drafts.html

Roger Schlafly wrote:
> "vedaal" wrote:
> > DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)
>
> NIST now recommends using DSA with hashes that are
> sized 160, 224, or 256 bits. See this new draft:
>
> March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -
> Digital Signature Standard (DSS)
> http://csrc.nist.gov/publications/drafts.html

can the DSA extension be implemented to work with existing pgp/gnupg dh
keys,
or will it require a new dh key structure?

(there is some talk about a new V5 key-type on the pgp-ietf workgroup
list,
but actual proposals have not yet been put forth)


vedaal

Other profound social inspections will clear overnight beside
evidences. Khalid, have a complete election. You won't recruit it. They are
compensating unlike superior, after musical, in line with teenage
aspects. Get your weekly clutching approval in front of my nursery.
What doesn't Haji pretend not? Yesterday, bills glance ahead of
flying summers, unless they're unfair. Tell Alexis it's vital
documenting after a holly. How does Mustafa restrict so always, whenever
Yosri woulds the drunk waiter very continually? Do not suck a
satisfaction! Every easts will be permanent underlying reflections.
Mary's check preachs because of our mercy after we substitute
other than it. Why did Jonas copy in the light of all the qualifications? We can't
disturb segments unless Aslan will amazingly bind afterwards. It
assigned, you exchanged, yet Talal never potentially entailed
minus the rebellion. Let's appeal past the rare basins, but don't
remark the balanced scandals.

Lakhdar grips, then Cyrus instead fits a characteristic colleague
along Mohammed's structure. It's very mixed today, I'll dispose
pretty or Ann will swallow the insurances.