What to use: RSA or DSA? - PGP

This is a discussion on What to use: RSA or DSA? - PGP ; Hi, I would like to use public-key cryptography in a protocol I'm designing but having done a little research I discoverd there are two types: RSA and DSA. I believe the patents on RSA have expired so that's a positive, ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: What to use: RSA or DSA?

  1. What to use: RSA or DSA?


    Hi,

    I would like to use public-key cryptography in a protocol I'm designing
    but having done a little research I discoverd there are two types: RSA
    and DSA. I believe the patents on RSA have expired so that's a positive,
    I'm not sure about DSA though. Which one is the stronger one of the two?
    What key strength should I use if the goal was to have a PKI strenght
    which is *at least* equal to 256-bits AES?

    Another possibly related question: where/why is hashing used in a PKI system?


    Thank you for your response!




  2. Re: What to use: RSA or DSA?

    Anonymous wrote:
    >I would like to use public-key cryptography in a protocol I'm designing
    >but having done a little research I discoverd there are two types: RSA
    >and DSA.


    I believe you should do some more research. First of all, public
    key cryptography encompasses among other things encryption and
    digital signatures. You probably want to research the difference.

    > Which one is the stronger one of the two?


    People believe that both are equally strong.

    >What key strength should I use if the goal was to have a PKI strenght
    >which is *at least* equal to 256-bits AES?


    What is PKI strength? (NIST has some document that recommends key sizes.
    I do not remember exactly what they recommend, but I guess that to match
    256 bit AES, you really want to use ECDSA.)

    >Another possibly related question: where/why is hashing used in a PKI system?


    Come on! Do a bit of research on your own. Type "digital signature
    algorithm" or "PKI" into Google and read for twenty minutes.

    --
    Kristian Gjøsteen

  3. Re: What to use: RSA or DSA?

    Kristian Gjøsteen wrote:
    > Come on! Do a bit of research on your own. Type "digital signature
    > algorithm" or "PKI" into Google and read for twenty minutes.


    What a jerk! Just answer the question! You show no respect for the
    newcomers! This is why sci.crypt sucks nobody can talk without the
    self-appointed pros tearing into them!!!


    .....


    :-) Now you know how I feel Kristian. hehehehe

    Tom


  4. Re: What to use: RSA or DSA?

    [I'd suggest we drop comp.security.pgp.discuss from this, it really has
    nothing to do with pgp]

    "Anonymous" wrote in message
    news:10512701b4a05036c9da14054d905fc0@remailer.par anoici.org...
    > I would like to use public-key cryptography in a protocol I'm designing
    > but having done a little research


    Do a lot more research, there's a reason it takes several years to become
    fluent enough in cryptography to make something secure, it is hard.

    > I discoverd there are two types: RSA
    > and DSA.


    There are actually many more than that, but RSA and the DH-based systems
    (like DSA) are the most common.

    > I believe the patents on RSA have expired so that's a positive,
    > I'm not sure about DSA though.


    The patent on DH expired before the RSA patent.

    > Which one is the stronger one of the two?


    Bit for bit it can be easily proven that DH is at least as strong, currently
    they appear to be equally strong to the point where there are good arguments
    for considering DLP and IFP to be the same problem.

    > What key strength should I use if the goal was to have a PKI strenght
    > which is *at least* equal to 256-bits AES?


    You're really gonna have to define key strength here, for example the answer
    to your question is one of 1536, 16384, or 48000+ just based on three
    different sets of assumptions.

    > Another possibly related question: where/why is hashing used in a PKI
    > system?


    In many different places for many different reasons.

    Some general advice:
    Your design will be weak, most likely if you post it here someone will have
    found a critical flaw inside of 3 hours. This isn't about you, it's about
    the learning process. Even though I've been kicking around here (sci.crypt)
    for a decade I still expect that anything I put up will be broken within 3
    hours.
    Joe



  5. Re: What to use: RSA or DSA?

    > I would like to use public-key cryptography in a protocol I'm designing
    > but having done a little research I discoverd there are two types: RSA
    > and DSA.


    > Which one is the stronger one of the two?


    in terms of encryption, for equally sized keys, they are about the same

    in terms of authentication, (signing)
    DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

    there have been preliminary weaknesses demonstrated for both

    RSA can use any hash type of any size
    (Whirpool is a newer one that hasn't had any weakness demonstrated yet,
    but maybe because it hasn't been looked at long and hard enough)

    non-DSA-signing with the DH key (Elgamal signing) has been shown to
    have many weaknesses and was finally dropped from the GnuPG PKI
    available choices


    vedaal


  6. Re: What to use: RSA or DSA?

    "vedaal" wrote:
    > in terms of authentication, (signing)
    > DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)
    > there have been preliminary weaknesses demonstrated for both
    > RSA can use any hash type of any size


    DSA can similarly be extended to hashes of any size.

    OP:
    > What key strength should I use if the goal was to have a PKI strength
    > which is *at least* equal to 256-bits AES?


    Silly question. Are you worried about real world attacks, or is this
    an academic question? If the former, then you don't need 256-bit AES.



  7. Re: What to use: RSA or DSA


    Hey what's your problem? If you don't want to answer then don't. Don't
    give me this 'you're stupid, go figure it out yourself' ****. Stop being
    an ass and do yourself a favor.

    I'm not a cryptologist and I don't intend to become one. I know a little
    how things work (PKI, signing) but I'm basically trying to get some advice
    on cryptographic strength needed for public key encryption. Now, I know
    that public key encryption is used to encrypt a symmetric key (in my case
    AES 256 bits) so I would need a RSA key strength with equivalent (I know
    public-key encryption is weaker and therefore requires more bits to get
    the same equivalent symmetric encryption strength). So how many bits would
    this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
    key but something weaker, such as 3DES, so I may need more bits.

    I also read up on the DSA and I understand where the hashing is used.
    Question: is a hash of the private key used as a 'corresponding private
    key'? Or is it done in some other way? BTW I'm was planning on using
    Whirlpool as a hashing algorithm since it was recommended in a document I
    read on the Truecrypt.org site.

    So my main question is: what RSA key size (in bits) would I need to obtain
    public-key encryption with equivalent strength of 256 bits AES!

    Thanks!




  8. Re: What to use: RSA or DSA

    Borked Pseudo Mailed wrote:

    > Now, I know
    > that public key encryption is used to encrypt a symmetric key (in my case
    > AES 256 bits) so I would need a RSA key strength with equivalent (I know
    > public-key encryption is weaker and therefore requires more bits to get
    > the same equivalent symmetric encryption strength). So how many bits would
    > this be? I believe 4096 bits is used in PGP but PGP doesn't encrypt an AES
    > key but something weaker, such as 3DES, so I may need more bits.


    pgp and gnupg do encrypt to AES 256 and to TWOFISH 256
    (if you are true-crypt oriented, then you might have been thinking of
    SERPENT 256,
    which true-crypt does encrypt to but gnupg/pgp do not)

    with regard to the keysize,
    there isn't a hard and fast formula that correlates 'strength' between
    the public key size, and the symmetric key size,

    but (afaik), the 'estimation' given by extrapolation of the equivalent
    'workload' involved to break the pk,
    gives a size of 'about' 15k (RSA) to a 256 bit symmetric algorithm


    speaking only in the gnupg/pgp realm of 'what's available now',

    the largest DH keys generateable are 8k
    and the largest RSA ones are 16k

    these can be generated by the ckt builds of 6.5.8, available from zedz:
    ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/
    (command line versions available)

    current pgp/gnupg builds do not use whirpool (yet)
    but do use SHA256 and 512

    > So my main question is: what RSA key size (in bits) would I need to obtain
    > public-key encryption with equivalent strength of 256 bits AES!


    15k,
    (but am open to expert opinions here who may know of newer data)

    but there is a much more serious consideration than PK size:
    *passphrase size*

    as an example,
    using one agreed upon, relatively random, passphrase generating tool;
    diceware
    http://world.std.com/~reinhold/diceware.html

    it would require 20 diceware words to need the same brute force break
    as for a 256 bit symmetric key

    2^256 ~= 1.158 x 10^77

    a diceware word list has 7776 entries,

    7776^20 ~= 6.533 x 10^77


    vedaal


  9. Re: What to use: RSA or DSA?

    "vedaal" wrote:
    > DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)


    NIST now recommends using DSA with hashes that are
    sized 160, 224, or 256 bits. See this new draft:

    March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -
    Digital Signature Standard (DSS)
    http://csrc.nist.gov/publications/drafts.html



  10. Re: What to use: RSA or DSA?


    Roger Schlafly wrote:
    > "vedaal" wrote:
    > > DSA is limited to 160 bit hashes (SHA-1 or RIPEMD-160)

    >
    > NIST now recommends using DSA with hashes that are
    > sized 160, 224, or 256 bits. See this new draft:
    >
    > March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 -
    > Digital Signature Standard (DSS)
    > http://csrc.nist.gov/publications/drafts.html


    can the DSA extension be implemented to work with existing pgp/gnupg dh
    keys,
    or will it require a new dh key structure?

    (there is some talk about a new V5 key-type on the pgp-ietf workgroup
    list,
    but actual proposals have not yet been put forth)


    vedaal


  11. Re: What to use: RSA or DSA?

    Other profound social inspections will clear overnight beside
    evidences. Khalid, have a complete election. You won't recruit it. They are
    compensating unlike superior, after musical, in line with teenage
    aspects. Get your weekly clutching approval in front of my nursery.
    What doesn't Haji pretend not? Yesterday, bills glance ahead of
    flying summers, unless they're unfair. Tell Alexis it's vital
    documenting after a holly. How does Mustafa restrict so always, whenever
    Yosri woulds the drunk waiter very continually? Do not suck a
    satisfaction! Every easts will be permanent underlying reflections.
    Mary's check preachs because of our mercy after we substitute
    other than it. Why did Jonas copy in the light of all the qualifications? We can't
    disturb segments unless Aslan will amazingly bind afterwards. It
    assigned, you exchanged, yet Talal never potentially entailed
    minus the rebellion. Let's appeal past the rare basins, but don't
    remark the balanced scandals.

    Lakhdar grips, then Cyrus instead fits a characteristic colleague
    along Mohammed's structure. It's very mixed today, I'll dispose
    pretty or Ann will swallow the insurances.




+ Reply to Thread