| 1 |
On Tue, Feb 19, 2013 at 7:12 PM, Robin H. Johnson <robbat2@g.o> wrote: |
| 2 |
> On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote: |
| 3 |
>> > 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits |
| 4 |
>> > 2.2. RSA, >=2048 bits |
| 5 |
> ... |
| 6 |
>> 1024 DSA keys seem pretty short to me. Surely it might be inconvenient |
| 7 |
>> for some (2-3? please write a mail here!) people with smart cards. But |
| 8 |
>> then again, especially people going through the hell of using a |
| 9 |
>> physical token would understand the need for decent crypto. ;) |
| 10 |
> A physical token defends against a different method of attack than a |
| 11 |
> longer key. Simply having a longer key isn't going to help you if store |
| 12 |
> the key on the laptop and it gets compromised: presuming the attacker |
| 13 |
> extracts your secret key and passphrase). In such a case, the smartcard |
| 14 |
> at worst limits him to doing some number of signatures only, or even |
| 15 |
> better if the reader has a hardwired pinpad, he gets nowhere at all. |
| 16 |
|
| 17 |
I'm a bit confused. |
| 18 |
|
| 19 |
I agree that a smartcard is much better security vs a longer key. I |
| 20 |
don't think attackers targetting Gentoo are going to brute force the |
| 21 |
key. They are going to steal the key, trivially, by exploiting a 0-day |
| 22 |
in a crappy browser, or flash, or java, or whatever. A smartcard is |
| 23 |
the defense against this attack (because the key material is well |
| 24 |
protected, and they need physical access to actually relocate it.) |
| 25 |
Storing it in the TPM would also be cool, except TPMs are crap on |
| 26 |
Linux, *and* most hardware TPMs are crap anyway. |
| 27 |
|
| 28 |
> |
| 29 |
> Also, if there is a Well-Funded-Organization attacking Gentoo, there are |
| 30 |
> MUCH more effective ways for them to compromise us. Any perceived gains |
| 31 |
> in that field from requiring DSA2048 and blocking DSA1024 should be |
| 32 |
> examined very closely. |
| 33 |
|
| 34 |
I would ask the opposite question. What is the perceived difficulty in |
| 35 |
using DSA2048 vs 1024? For the non-smartcard users, the cost is likely |
| 36 |
trivial. Even your perf data shows that signing requests still |
| 37 |
complete in 200ms or less, and that is on old / slow hardware. |
| 38 |
|
| 39 |
> |
| 40 |
>> I think key rotation is overdoing it and pretty annoying. Better use a |
| 41 |
>> non-annoying, long key from the start? |
| 42 |
> NOWHERE did I require key rotation. Why do you think that I did? |
| 43 |
> My own key is more than a decade old. I need to see about replacing it |
| 44 |
> soon, but I've been trying to hold out for the OpenPGP standard to have |
| 45 |
> ECC included, before I repeat getting my extremely large web-of-trust. |
| 46 |
> |
| 47 |
>> > 4. If you intend to sign on a slow alternative-arch, you may find |
| 48 |
>> > adding a DSA1024 subkey significantly speeds up the signing. |
| 49 |
>> How slow is that actually? Does it make signing very inconvenient? |
| 50 |
>> Maybe someone with a slow machine can write about performance and the |
| 51 |
>> "annoyence-factor"... ;) |
| 52 |
> Some benchmark results from hake.hppa.dev.g.o, 552Mhz PA-RISC box. |
| 53 |
> |
| 54 |
> Average of running clearsign ~100 times, for various signature types. |
| 55 |
> The gpg.conf was set as in my initial post. |
| 56 |
> |
| 57 |
> DSA1024 0.059830s |
| 58 |
> DSA2048 0.158800s |
| 59 |
> DSA3072 0.274850s |
| 60 |
> RSA1024 0.060020s |
| 61 |
> RSA2048 0.173070s |
| 62 |
> RSA4096 0.896480s |
| 63 |
> |
| 64 |
> For reasons of time, while I wanted to create the keys on the host as |
| 65 |
> well for timing, I gave up after the first key, DSA1024, took more than |
| 66 |
> 3 minutes (I did ensure that /dev/random was not the blocking factor). |
| 67 |
> |
| 68 |
> If somebody from MIPS or m68k wants to chime in, I think they probably |
| 69 |
> have the slowest hardware around presently. |
| 70 |
|
| 71 |
djm works for Google, and I chat with him at least once a quarter. |
| 72 |
I've seen some patches go by that we could re-purpose for gpg-agent |
| 73 |
forwarding. For slow machines we could have them sign on a |
| 74 |
faster-trusted machine with a forwarded agent. |
| 75 |
|
| 76 |
-A |
| 77 |
|
| 78 |
> |
| 79 |
> -- |
| 80 |
> Robin Hugh Johnson |
| 81 |
> Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 82 |
> E-Mail : robbat2@g.o |
| 83 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 84 |
> |
Archives