8k Key Generation via Keychain Access not possible + 8k key creation via Terminal not working

davemcwish's Avatar

davemcwish

06 Sep, 2014 10:03 PM

GPG Keychain Access 1.1.2 (3772107) (848n)

Only just come across this tool as I'm ex Windows now using Mavericks

Please describe what you did expect instead

It looks I can generate 8k keys via the command line/Terminal app but I was surprised that the front-end doesn't accommodate. Is there a reason and will i have a problem if I generate an 8k key ?

  1. Support Staff 1 Posted by Steve on 19 Sep, 2014 11:50 AM

    Steve's Avatar

    Hi Dave,

    well gnupg defaults to 2048 bit keys currently. GPG Suite (nightly) and next stable release do default to 4096 bit keys. While 8k keys do exists, we see little practical benefits above 4k keys. So we do not offer a UI solution. If you really know what you are doing and have a real need for a 8k key, you can always fall back to the Terminal.

    All the best, steve

  2. 2 Posted by JonasHansen on 08 Nov, 2014 06:25 PM

    JonasHansen's Avatar

    I just want to point out that knowlingly lowering the overall security in the gpgtools is a really bad call, both because some the primary goal for your app should be as great security as possible, beacuse the extra clock cycles are neglible and because several crypto experts has commented that we should already now be defaulting to 8k keys.

  3. 3 Posted by Baris Kayadelen on 10 Nov, 2014 09:07 AM

    Baris Kayadelen's Avatar

    Hi,
    I tried to generate 8K key using terminal. During password phase it failed. Looks like max support 4K :

    Please select what kind of key you want:
    (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
    RSA keys may be between 1024 and 8192 bits long.
    What keysize do you want? (2048) 8192
    Requested keysize is 8192 bits
    Please specify how long the key should be valid.
    0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 4y
    Key expires at Fri Nov 9 10:50:43 2018 EET
    Is this correct? (y/N) y

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    gpg: keysize invalid; using 4096 bits
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    gpg: keysize invalid; using 4096 bits
    gpg: key xxxxxxx marked as ultimately trusted
    public and secret key created and signed.

  4. Support Staff 4 Posted by Steve on 11 Nov, 2014 11:43 AM

    Steve's Avatar

    Hi Jonas,

    can you link some of the crypt experts suggesting 8k keys as a default?

    The current debate still seems to be about 2k vs. 4k keys (gnupg defaults to 2k). We've disabled 1k keys in the beta and set the default to 4k keys. So we have not "knowingly lowered the overall security". Quite the opposite is true. We have changed our default from 2048 to 4096.

    We'll look into the 8k Terminal issue reported by Baris soon.

  5. 5 Posted by Baris Kayadelen on 14 Jan, 2015 08:39 AM

    Baris Kayadelen's Avatar

    Hi Steve,

    GPG Suite Beta 4 still have a problem creating 8K signatures. Are there any news about this issue?

  6. Support Staff 6 Posted by Luke Le on 13 Feb, 2015 06:02 PM

    Luke Le's Avatar

    Hi Baris,

    we've since released Beta 5 and it's very much possible that the issue is fixed.
    Could you test with Beta 5 and let us know what you find?

    Thanks.

  7. 7 Posted by Baris Kayadelen on 14 Feb, 2015 11:48 AM

    Baris Kayadelen's Avatar

    Hi Luke,

    I downloded last version of GPG Suite Beta 5 and tried to generate 8k keys. It seems the problem continues. My OS and gpg version are below.

    Mac OS X Yosemite 10.10.2
    GPGMail 2.5b5 Built 891b
    gpg (GnuPG/MacGPG2) 2.0.26
    GPG Keychain Version 1.2b5 (1010b)

    gpg (GnuPG/MacGPG2) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Please select what kind of key you want:
    (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
    RSA keys may be between 1024 and 8192 bits long.
    What keysize do you want? (2048) 8192
    Requested keysize is 8192 bits
    Please specify how long the key should be valid.
    0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 4y
    Key expires at Wed Feb 13 13:35:12 2019 EET
    Is this correct? (y/N) y

    GnuPG needs to construct a user ID to identify your key.

    Real name: XXXX XXXXXXX
    Email address: [email blocked]
    Comment:
    You selected this USER-ID:
    "XXXX XXXXXXX [email blocked]"

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    gpg: keysize invalid; using 4096 bits

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    gpg: keysize invalid; using 4096 bits

  8. 8 Posted by Ville Määttä on 17 Feb, 2015 11:03 PM

    Ville Määttä's Avatar

    Hi Baris, Jonas,

    … and others asking for 8192 keys. Please do not. They don't add to your security in the least. They cause issues with compatibility. They cause other issues. They are not enabled in the upstream official GPG release for many reasons. Sometimes someone rebuilds GPG to allow 8192 keys but it is not possible by default. For a reason.

    It will not increase security and all it will achieve is problems. So please just use 4096 keys if you want a large RSA key. In the future you will get the option of using ECC keys which will increase the encryption quality without increase, and in fact with a decrease, in key size.

  9. Steve closed this discussion on 27 Feb, 2015 03:06 PM.

  10. Steve closed this discussion on 26 Mar, 2015 03:02 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac