IETF Logo Mail Archive

Re: Suggested changes for DSA2

David Shaw <dshaw@jabberwocky.com> Wed, 29 March 2006 01:21 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOPN3-0002H5-9e for openpgp-archive@lists.ietf.org; Tue, 28 Mar 2006 20:21:13 -0500
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOO3j-0005qk-65 for openpgp-archive@lists.ietf.org; Tue, 28 Mar 2006 18:57:11 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FONnY-0005jq-Gr for openpgp-archive@lists.ietf.org; Tue, 28 Mar 2006 18:40:31 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2SNMwHD099500; Tue, 28 Mar 2006 16:22:58 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2SNMwtL099499; Tue, 28 Mar 2006 16:22:58 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2SNMvwn099491 for <ietf-openpgp@imc.org>; Tue, 28 Mar 2006 16:22:57 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2SNMtk26366; Tue, 28 Mar 2006 18:22:55 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.6/8.13.5) with ESMTP id k2SNMuOe015416; Tue, 28 Mar 2006 18:22:56 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2SNMno9029152; Tue, 28 Mar 2006 18:22:49 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2SNMnCL029151; Tue, 28 Mar 2006 18:22:49 -0500
Date: Tue, 28 Mar 2006 18:22:49 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: Suggested changes for DSA2
Message-ID: <20060328232249.GC28776@jabberwocky.com>
Mail-Followup-To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060328210412.631EA57FAE@finney.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20060328210412.631EA57FAE@finney.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 25620135586de10c627e3628c432b04a

On Tue, Mar 28, 2006 at 01:04:12PM -0800, "Hal Finney" wrote:

> I support David's suggestion to include a SHOULD relating hash size to key
> size.  But it makes sense to me to extend our current key size SHOULD
> recommendations to include advice regarding subgroup size, hash size,
> and symmetric cipher key size.  This would correspond to Table 2 on page
> 63 of NIST's SP800-57:
> http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> 
> The sizes from that table are:
> 
>  1024 /  160 /  80
>  2048 /  224 / 112
>  3072 /  512 / 256
>  7680 /  768 / 384
> 15360 / 1024 / 512
> 
> where the 1st column is the RSA, DSA or DH modulus size, the second
> column is the hash/subgroup size, and the 3rd column is the symmetric
> cipher key size (which is also the strength in bits).

Are you sure that table is correct?  I thought it was:

  1024 / 160 /  80
  2048 / 224 / 112
  3072 / 256 / 128
  7680 / 384 / 192
 15360 / 512 / 256

> Proposed language:
> 
>    In order to provide consistent levels of security for end users,
>    implementors SHOULD balance public key modulus size, subgroup size,
>    hash size, and symmetric algorithm key size.  While consensus about
>    appropriate choices of these parameters may change with time, NIST
>    Special Publication 800-57 recommends the following parameter size
>    choices:
> 
>    [Some version of NIST's Table 2 here]
> 
>    Implementors SHOULD use and require public key and other parameters
>    consistent with values in this table, or updated information based
>    on evolving consensus in the field.

I'm not sure this is the right way to go about it.  Is balance
actually what we want, or would it be better to just remind people
that the weakest parameter constrains the level of security?  There is
nothing invalid about a 8192-bit RSA key making SHA-1 signatures.  It
just means that the signature has at most 80 bits of strength.  The
signer could have used a 1024-bit RSA key and gotten the same 80 bits
of strength, but that doesn't make the 8192-bit signature wrong (just
large).  My suggested wording was more to encourage implementors to
indicate the actual strength, rather than to force balance.

How about this (presumably for the Security Considerations section):

   As OpenPGP combines many different asymmetric, symmetric, and hash
   algorithms, each with different measures of strength, care should
   be taken that the weakest element of an OpenPGP message is still
   sufficiently strong for the purpose at hand.  Implementations
   receiving messages SHOULD indicate to the user the actual strength
   of the messages.  While consensus about the the strength of a given
   algorithm may evolve, at publication time, NIST Special Publication
   800-57 [SP800-57] recommended the following list of equivalent
   strengths:

       [ put table here ]

I'm still in favor of making the NIST list a SHOULD for generating
DSA2 keys, of course.

David

v2.15.0 | Report a Bug | By Email