Maximum security with gpg

From The Uncensored Hidden Wiki
Jump to: navigation, search

This article explains how to get maximum security out of gpg -- or why not to use the DSA signature algorithm.

Basically:

  • DSA only supports a key size of 1024 bits
  • DSA can only be used with the SHA-1 hash function -- which is broken

Note: The advice given in this article is out of date. For 256 bit symmetric keys, the recommended RSA key size is 15360 bits; 4096 bits is sufficient only for 128 bit symmetric keys. GnuPG does support keys up to 16384 bits, although some PGP key servers may not support such large keys. Elliptic curve cryptography is being merged into GnuPG, which will help alleviate this problem. ECC is already available for S/MIME, although because of concerns about patents, ECC support is not available in some Linux distributions (e.g. Fedora and CentOS/RHEL); it is likely that support for ECC in GnuPG will be similarly unavailable in this distributions.

4096-bit RSA keys

Generating 4096-bit (or indeed, even 2048-bit) keypairs with gpg is a little tricky. The "obvious" way of generating large keys will leave you with a 1024-bit DSA signing key and 4096-bit ElGamal encryption key. This is because gpg defaults to DSA for signing, and the DSA standard only permits 1024-bit keys.

Since your encryption key is protected by your signing key, a MITM (man in the middle) attacker can swap out your encryption key with theirs — assuming they can break the 1024-bit key.

So what's the difference?
$ gpg --list-keys myname
pub   1024D/6EF4B17C 2009-06-14 [expires: 2019-06-12]   <-- 1024-bit DSA signing key, not good
uid                  My Name <myname@torpm>
sub   4096g/9DAEA88A 2009-06-14 [expires: 2019-06-12]   <-- 4096-bit ElGamal encryption subkey

pub   4096R/91B86833 2009-06-14 [expires: 2019-06-12]   <-- 4096-bit RSA signing key
uid                  My Name <myname@torpm>
sub   4096R/15231034 2009-06-14 [expires: 2019-06-12]   <-- 4096-bit RSA encryption subkey
Instructions
$ gpg --gen-key
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Wed Jun 12 XX:XX:XX 2019
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: My Name
Email address: myname@torpm
Comment:
You selected this USER-ID:
    "My Name <myname@torpm>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

[ enter passphrase twice ]

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 91B86833 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   7  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   7  signed:   0  trust: 1-, 0q, 0n, 4m, 2f, 0u
gpg: next trustdb check due at 2012-12-26
pub   4096R/91B86833 2009-06-14 [expires: 2019-06-12]
      Key fingerprint = 69C8 33DA CDD7 F76B 9DCA  9767 3587 F440 91B8 6833
uid                  My Name <myname@torpm>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
$ gpg --edit-key 91B86833
Secret key is available.

pub  4096R/91B86833  created: 2009-06-14  expires: 2019-06-12  usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1). My Name <myname@torpm>

Command> addkey

[ enter passphrase ]

Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Wed Jun 12 XX:XX:XX 2019
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/91B86833  created: 2009-06-14  expires: 2019-06-12  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/15231034  created: 2009-06-14  expires: 2019-06-12  usage: E
[ultimate] (1). My Name <myname@torpm>

Command> save

That's it. Phew!

Using SHA512 for signature hashes

Given that both MD5 and SHA-1 have been broken, everybody should migrate away from them. The sad truth is that another shortcoming of the DSA is that it only allows SHA-1 as the hash function! You have to follow the instructions above in order to use hash functions other than SHA-1.

Since a 4096-bit signing key will already create a huge signature block, there is no reason to settle for anything less than SHA512 -- it doesn't change the size of your signatures.

So, let's get started. Open up the ~/.gnupg/gpg.conf file in a text editor and add the following line:

personal-digest-preferences SHA512

That's it! Now let's try whether it actually works.

$ echo Test message | gpg --clearsign

You need a passphrase to unlock the secret key for
user: "My Name <myname@torpm>"
4096-bit RSA key, ID 91B86833, created 2009-06-14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Test message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iQIcBAEBCgAGBQJKNPU7AAoJEDWH9ECRuGgzs/cP/0CMxzck19kYI4iZMYIb/0YE
wcPpuCa+KwLsgygt87XoSDFRWZSNsouVsY31DeH5/fdGlQaPT+Zx+ZwthkUQMpdT
C7pZ5agEOrVpQibZXMYQMjknT7d0hANDTKVSsQFCaLgkJUPgOIARIoDedbDrW9cc
3W3xnjKroxH8fK3dy+BZhmDiGC5MF+jFfnt+qsCa/YbPaDBWlJvDrvTyVut9NcEG
cVrCoqimSbG1I0F+YD7oecKOGiy7gQm0dSD7ilcFmwd2go9K3nJ9+8+jFNNK2Nd8
Mmg/1CiSfr3hjNyPCbIt431DADkzNMfaJLtz6UfoBM1cpUPiHGaFo1/SCVIsEiej
58IUoeSjgcDXyW+9Bj+XpvvT4G3y9A8U+m/DcbMQsAhpiHtzHmklbO1L1YQFhcB5
bZKwVp/xFAHTfDiUgYkmz+iYbo40NP5k9EiGnAM5bc4/eu5LI84bub03ZihZ5jQC
F+SfJ50tbFeV84xi7auM1sh6CM5ON60XMZ95TijqXHpGMMsvLW6rORWUnth+0TPu
nSEDmszI9XWZyttWpJZ41CwmQ0u57fFZ2LS0WDoGYQxak7TkmWJtDzhOh1V6vWB+
gZ2W1ei9F6d+et2MjUyw2yM7x89s7rNNYCnR4p2e8ZBcbTellfawgIlaymuHUTN8
U/ZKEoZOOK0QdcFU7+LH
=3gfM
-----END PGP SIGNATURE-----

If you see anything other than "Hash: SHA512" up there then something didn't quite work as expected.

RSA-16k

To meet the ECRYPT II 2009 specification of the European Union of 30-year protection against quantum computers, 15424-bit RSA keys is required. GPG in Linux currently support up to RSA-16384.