First, I'm sorry for reviving a topic, but this is really important.
I sent an email to Justin (actually, I sent two, but one was in Brazilian
Portuguese, so he didn't understand it). Here follows my email:
== Start of email sent ==
Hi Justin,
Sorry if my last email seemed hard to understand, perhaps it's because I
wrote it in Brazilian Portuguese. However, if you don't remember receiving an
email sent by me, then just forget about this paragraph.
You can answer this email in English if you want.
OK, let me introduce myself: I'm a free software and free culture enthusiast,
who also values privacy and security.
I must say that your article about the 128 and 256 bit keys [1] is very
interesting, and also, your comment on a topic in the Linux Forums [2] makes
me think more and more about this subject.
Because of this, I brought the question to my mates from the GNU+Linux-libre
Trisquel project [3], but the questions haven't been answered.
And so I bring the questions to you: Which one is the most secure in each
case?
– DSA for signing with El Gamal for encrypting, or RSA for both?
– SHA-256 or SHA-512? Or other hash algorithm (in this case, which one)?
– At which strength (for example: 4096 bits)? Is the maximum strength
recommended/safe?
[1]
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Ideal-to-Realized-Security-Assurance-Cryptographic-Keys-Part1.html
[2] http://www.linuxforums.org/forum/security/3515-rsa-versus-dsa.html
[3]
https://trisquel.info/en/forum/dsa-el-gamal-or-rsa-sha-256-or-sha-512-minimum-or-maximum-strength
Best regards, ADFENO.
Have a nice day.
== End of email sent ==
One day later, he replied with the following email (which was adapted by me
for enhanced readability):
== Start of email received ==
Boa noite, Adfeno!
Desculpe ... eu falo Português mais ou menos, but I will carry on with
English if that's okay,
[Here, Justin talks about some “almost” personal information about him,
so I'll just suppress it.]
As far as DSA/Elgamal vs RSA, I'd recommend this post from Thomas Pornin:
http://crypto.stackexchange.com/a/1679 (I trust his judgment, and he points
out a lot of the architectural issues that might be more tangible than the
security differences.) Security-wise, I'd not be too worried about using
either configuration.
As for SHA-256 vs. SHA-512 -- I'd say you should be secure with either. I
don't know of any attacks that would cause one to choose one over another,
from a practical security standpoint. I've sometimes seen people use SHA-512,
and then truncate to 256 bits, if that's all they need. However, you'll not
really notice a security difference between the two, in the real world.
There's a good discussion of that here:
http://crypto.stackexchange.com/a/3156
Nowadays, if you can afford 4096-bit keys, that's a good choice; at the very
least, 2048, but it's hard to say if that's even considered conservative
right now.
I hope this helps! Feel free to e-mail me anytime and I'll do my best to
respond as quickly as possible. If you're on Twitter, I partake in a lot of
discussions there (@justintroutman).
Best regards,
Justin
== End of email received ==
Well, looks like we have gathered some good source of information which can
help us decide how to make our next key pairs. It's also important to note
what lloydsmart said: “I wasn't aware of the entropy problem with DSA, but
it doesn't affect me as I have an external source of entropy”.
Best regards, ADFENO.
Have a nice day.
