StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>At <a href="http://www.keylength.com/en/7/" rel="nofollow noreferrer">keylength.com</a> there is this:-</p> <blockquote> <p>To protect a 256-bit symmetric key (e.g. AES-256), you may consider using at the minimum a 17120-bit asymmetric system (e.g. RSA).</p> </blockquote> <p>The 4096 bit limit can be raised as described in a short article entitled "<a href="https://deekayen.net/large-gpg-keys" rel="nofollow noreferrer">Generate large keys with GnuPG</a>", reproduced below. This was done for the gnupg package in homebrew to allow for 8192 bit keys: <a href="https://github.com/mxcl/homebrew/pull/4201" rel="nofollow noreferrer">PR 4201</a>. A word of caution about memory allocation for the larger keys: <a href="https://groups.google.com/d/msg/comp.security.pgp.tech/QfQoQalKop0/SrMY-n74UcMJ" rel="nofollow noreferrer">comp.security.pgp.tech</a>.</p> <h1>Generate large keys with GnuPG | David Norman</h1> <p>If you'd like to generate larger keys than 4096 bits with GnuPG, you can compile a new version that increases the upper limit of 4096. You'll probably find yourself generating it as RSA. Download the patch to your un-tared gnupg-1.4.19 directory and apply it with:</p> <pre><code>usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ patch -p0 < gnupg_1.4.19_large_keygen.patch patching file g10/keygen.c usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ ./configure --enable-large-secmem [...] checking whether to allocate extra secure memory... yes [...] usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ make -j2 usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ make check usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ sudo make install usbdrive@sandisk-extreme64:~/gnupg-1.4.19$ gpg --gen-key --enable-large-rsa </code></pre> <p>Without the --enable-large-rsa flag, the key generation process will automatically downgrade the key to 4096.</p> <p>To compile on a Mac, you'll need to download Xcode from the App Store first. The patch increases the upper limit of the key size to 15489 bits. Without increasing the secure memory limit, generating a key larger than about 7680-bits will fail because it won't be able to allocate enough memory to the process. Generating keys larger than around 7680-bits (192-bit symmetric equivalent) can also make it impossible to decrypt messages with standard secure memory limits set at compile time because the gpg binary won't be able to allocate enough secure memory to decrypt the message, even small ones.</p> <p><a href="https://gist.github.com/deekayen/3f5526531951bf53be49#file-gnupg_1-4-19_xlarge_key_gen-patch" rel="nofollow noreferrer">gnupg_1.4.19_xlarge_key_gen.patch</a></p> <pre><code>--- g10/keygen.c 2015-02-26 12:24:21.000000000 -0500 +++ g10/keygen.c 2015-03-02 22:12:09.028419377 -0500 @@ -1041,8 +1041,9 @@ nbits = 2048; log_info(_("keysize invalid; using %u bits\n"), nbits ); } - else if (nbits > 4096) { - nbits = 4096; + else if (nbits > 15489) { + /* fallback to RFC3766 256-bit symmetric equivalency */ + nbits = 15489; log_info(_("keysize invalid; using %u bits\n"), nbits ); } @@ -1251,7 +1252,8 @@ PKT_public_key *pk; MPI skey[6]; MPI *factors; - const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); + /* New large key limit RFC3766 256-bit symmetric equivalency */ + const unsigned maxsize = (opt.flags.large_rsa ? 15489 : 4096); assert( is_RSA(algo) ); @@ -1578,7 +1580,7 @@ static unsigned int ask_keysize (int algo, unsigned int primary_keysize) { - unsigned nbits, min, def=2048, max=4096; + unsigned nbits, min, def=2048, max=15489; int for_subkey = !!primary_keysize; int autocomp = 0; </code></pre> <p><a href="https://gist.github.com/deekayen/3f5526531951bf53be49#file-gnupg_1-4-19_xlarge_secmem-patch" rel="nofollow noreferrer">gnupg_1.4.19_xlarge_secmem.patch</a> </p> <pre><code>--- configure 2015-02-27 03:37:52.000000000 -0500 +++ configure 2015-03-02 22:28:31.488401783 -0500 @@ -5076,7 +5076,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $large_secmem" >&5 $as_echo "$large_secmem" >&6; } if test "$large_secmem" = yes ; then - SECMEM_BUFFER_SIZE=65536 + SECMEM_BUFFER_SIZE=131072 else SECMEM_BUFFER_SIZE=32768 fi </code></pre> <p>Article ends. <a href="https://www.evernote.com/shard/s236/sh/f3da2653-844c-4325-ac59-79612d090901/3a4889d345f947c93c6ae7c5acce5a6c" rel="nofollow noreferrer">Retrieved on 2016-02-26</a> from an archived copy of the <a href="https://deekayen.net/large-gpg-keys" rel="nofollow noreferrer">original</a>.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload