[Pkg-gnupg-maint] Bug#739424: gnupg dies with "gpg: out of secure memory [...]" since 1.4.16-1

Marc Lehmann schmorp at schmorp.de
Tue Oct 21 17:54:05 UTC 2014 

On Tue, Oct 21, 2014 at 06:29:33PM +0200, Florian Weimer <fw at deneb.enyo.de> wrote:
> > NIST 2012 also recommends similar key sizes (15360 bits).
> 
> NIST is being abit disingenuous there.  There is no published material
> which shows that such long keys actually add any security.  For all we
> know, they may well offer only reduced security because the large
> modulus reduces mixing or something like that.

Um, where to begin... "this is not even wrong".

It's established fact that longer rsa keys do add security (and there is
a large pool of publications showing so), which is why a 1024 bit rsa key
(very long by standards 20 years ago) is not considered generally safe
anymore. The only open question is how much security longer keys add, and
if it helps against (fictituous) quantum computers, but at the very least,
you still need a bigger quantum computer to crack longer key lengths, if
it is even possible.

By contrast, you are arguing for known worse security because of unknown
reasons of why longer keys *might* be less safe. While this is true, any
key length could be unsafe against future algorithms - for all we know,
future algorithms will influence secure key lenghts in unknown ways. Or in
other words, we just don't know.

So you argue that, because we don't know future attacks, we must go for
less security now by not even allowing people to use longer keys (or their
existing keys at all!).

This is illogical, and again I question the motives behind this "social
downgrade attack": arguing for known worse security because of "handwave,
but the future might" - we can only act by what we know *now*.

Calling NIST disingenous because they don't throw their hands up and say
"oooh, the unknown future, why don't we give up now" is weird. What NIST
does is called "best practise" - no cryptography is safe against unknown
future attacks.

With your argument anything is unsafe, because the future might bring
efficient attacks against smaller rsa keys, against elliptic curves,
against very long rsa keys and so on just as well. We just don't know.

What we do know is that forcing people to downgrade key lengths and change
their keys to be interoperable with the only openpgp implementation that
can't cope with longer keys does reduce security - everything else is just
made up.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\

More information about the Pkg-gnupg-maint mailing list