[Enigmail] about creating a secure encryption

Charly Avital shavital at mac.com
Tue Jul 1 10:05:19 PDT 2008 

Barry Jefferson wrote the following on 7/1/08 12:17 PM:
> Robert J. Hansen wrote:
> | Barry Jefferson wrote:
> |> Would you say the default security algorithm use when generating a key
> |> is adequate enough for personal use?
> |
> | That depends on what your "personal use" is.  If you're digitally
> | signing 30-year mortgages, protecting nuclear weapon launch keys,
> | serving as a notary public, or other such things, then no.  For
> | everything else, it's more than adequate.
> |
> |> as i have been having second thoughts after reading this:
> |
> | Having looked over the site in question, I can't find anything there
> | that would make me doubt GnuPG's defaults.  What precisely is concerning
> | you?
> |
> |
> | _______________________________________________
> | Enigmail mailing list
> | Enigmail at mozdev.org
> | https://www.mozdev.org/mailman/listinfo/enigmail
> |
> |
> Just mainly it would have been nice to have the option in the program
> itself to set a higher encryption but i trust what you say when you say
> that it would take a nuclear powered, proton emitting computer capable
> of speed of light processing to crack keys well you said it in a different
> 
> Thanks,
> Barry


I can only *guess* that when you directed my to that URL, you were
wondering about what *hash* algorithm to use.

The new key you have generated and uploaded is a 1024 bit key.
With that kind of key you can use only SHA1.

Please see Robert J. Hansen's:
<http://sixdemonbag.org/cryptofaq.xhtml>
more specifically:
<http://sixdemonbag.org/cryptofaq.xhtml#sha1> where the last sentence
is:     Please stop using sha–1 right now.

When using a DSA key, you need it to be DSA2, where the primary key can
be 2048 bit long, (that is quite enough), in order to be able to use
hash SHA256.

If this hash issue is not the one you were asking me about, then *I
apologize for wasting your time and the list's*.

If that is what you meant (which hash algorithm), and you want to use
SHA256 instead of SHA1, you have two possibilities.

- the not-too-good-one: revoke your present key, and generate a DSA2 key.
Too many revoked keys in a short time, but it's your privilege.

- the work-around: add a signing only 2048 bit subkey to your current
key. The 2048 bit subkey will have to be RSA, because of the same DSA
limitation.

Take care,
Charly

More information about the Enigmail mailing list