Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


Closed Thread
  Search this Thread
Old 06-28-2007, 09:17 PM   #1
LQ Newbie
Registered: May 2007
Posts: 4

Rep: Reputation: 0
GPG -- RSA or DSA with El Gamal for new keys


I'm getting back into using encryption again, and I've got a grasp on how to use gpg on my linux box, but I'm puzzled when creating new keys when it asks is I want to generate my keys with DSA with El Gamal, DSA (signing only) or RSA (signing only).

It's been a good seven years since I've used pgp, and I only remember RSA.

What are the differences -- pros and cons -- of these methods. I've googled my heart out for info on this, and I've only found pages that are full of jargon, and aren't really too the point, or very vague on which one is better, so I'm turning here. There was a couple of similar threads on this website, but I were not as detailed as I hoped.

On one of the threads, it states that DSA can't encrypt, only sign, but RSA can, but RSA is less secure? ...

I want good security, and if I remember correctly, PGP is uncrackable, or at least, hard to crack. Are any of these methods more crackable than others?

If somebody could enlighten me on this, that'd be greatly appreciated.

Forgive my ignorance on the subject.

Thanks for the help!
Old 06-30-2007, 01:26 AM   #2
Senior Member
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Use the option which says DSA and Elgamel.
This is better than RSA.
Also RSA is not used my these days.
Old 12-10-2007, 04:06 PM   #3
LQ Newbie
Registered: Dec 2007
Distribution: Debian 4.0r2 x86_64
Posts: 22

Rep: Reputation: 15
Hash: SHA1

I realize that this is a really, really old thread, but I read this, and had to intervene.

DSA and Elgamal are both based on an underlying mathematical problem, called the discrete logarithm problem, or DLP. The DLP is believed to be very, very hard to solve in any reasonable amount of time.

RSA is based on an underlying mathematical problem, called the integer factorization problem, or IFP. The IFP is believed to be very, very hard to solve in any reasonable amount of time.

Notice a similarity, here? Other than the problem that they're based on, they're both very secure. Sorry to be the contradictor here, but RSA is used a hell of a lot more than DSA/Elgamal. Cryptographic tokens such as USB tokens and smart cards use RSA. Most SSL/TLS sites utilize RSA keys. SSH uses, mostly, RSA keys. GnuPG, though, didn't use RSA until more recently, so older GPG users might have a problem.

The main reason that DSA keys are used in GnuPG is because of the signature system. DSA keys generate signatures whose length depends on the length of the hash used to make the signature. DSA is also restricted on the type of hash that it can use. It's REQUIRED to use SHA1, you don't have a choice. RSA keys generate signatures whose length depends on the length of the signing key. RSA keys tend to generate obnoxiously long signatures.

On the flip side of convenience, you have security (which is obviously a hell of a lot more important.) It's believed, but not proven, that the DLP that DSA is based off of is a harder problem to solve than the IFP that RSA is based on. You've also got public exposure and scrutiny. DSA was developed by someone at the NSA. RSA was developed by three guys at MIT. RSA, since it's so common, has undergone a ridiculous amount of scrutiny and research. DSA hasn't had that much exposure or scrutiny. It's also led to the recent factoring of a 1017-bit number. Remember what I said about RSA being based on integer factorization? Beware, though. While it may sound like DSA is the winner, there is something that plays against it. I mentioned that DSA has to use SHA1. Well, SHA1 has been broken. Not "totally useless" broken, but "cryptographically iffy" broken. See below for a greater explanation. You're also restricted to a 1024-bit DSA key. You can't make it any bigger, except in a certain case that I'll discuss later.

So, to summarize what we've got so far:

RSA - Common, studied, widely believed to be secure.
DSA - Widely compatible with GPG of just about any version. Shorter, more convenient signatures.

RSA - Believed to be less secure than a DSA key of the same length. Ridiculously long signatures. Not as compatible, GPG wise.
DSA - Small keysize might leave it quickly vulnerable to a break. Underlying hash, while still trusted, is not suggested for use in new cryptographic applications.

That last one sounds like an issue, right? Well, I thought so, too, until I did a little digging. There's an update to DSA. When SHA1 was cracked, and the keysize started getting a little too small for comfort, the DSS (the underlying specification of the DSA algorithm) was updated. Instead of being restricted to a 1024-bit key using SHA1, you're now able to use 2048 and 3072 bit DSA keys with better hashing algorithms (SHA224/256 for 2048, and SHA256/384/512 for 3072, your choice.) This does create a compatibility problem for any version of GPG released prior to the updated specification (which is still in draft form. Final draft, but draft, nonetheless.) And it's a fairly inconvenient thing, too - Anyone that doesn't have a specific command in their gpg.conf won't be able to utilize your key.

So, all in all, it's pretty much your choice. A 2048-bit RSA key, or a 1024/2048 DSA/Elgamal keypair should be more than secure enough, even with the relative (and, currently, minor, though that may change) insecurity of the SHA1 algorithm. The SHA1 break is more theoretical than practical. They found collisions (two different plaintexts that hash to the same output) in 2^69 operations, instead of the 2^80 that they should have. That means that finding a collision is 2000 times easier than it should be. It's still trusted as a cryptographic hash, but in new systems, it's suggested to move away. It's one of those "if you're using it, keep using it, but if you're making a new system, use something else" situations.

If you're paranoid, like me, you can go higher; 4096-bit RSA, or 1024/4096 DSA/ELG-E. Throwing the following in your gpg.conf will let you generate the later revision DSA keys and specify the hash algorithm you want to use, like what I created for experimental purposes (3072/4096 DSA/ELG-E, SHA512):

digest-algo sha512

But remember, anyone without the "enable-dsa2" line won't be able to use keys generated with this method, even your public key. They also will have a problem verifying your signatures.

I'm not a cryptologist, by any means. I've just done a LOT of homework on the subject.

Caveat emptor.
Version: GnuPG v1.4.7 (MingW32)


Last edited by MindOfMercury; 12-11-2007 at 11:52 AM.
Old 12-10-2007, 05:17 PM   #4
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Probably the most informative (and to the point) summary I've seen in one place on the DSA vs. RSA topic.

It was worth digging up an old thread over.
Old 12-10-2007, 05:30 PM   #5
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
Nice summary, Mercury.

Old 12-11-2007, 04:29 AM   #6
LQ Newbie
Registered: Dec 2007
Distribution: Debian 4.0r2 x86_64
Posts: 22

Rep: Reputation: 15
Doing my best. Thanks for the compliments. :-)

Crypto seems to be the one thing I'm good at. Gotta have something, right?
Old 12-11-2007, 11:06 AM   #7
LQ Newbie
Registered: Dec 2007
Distribution: Debian 4.0r2 x86_64
Posts: 22

Rep: Reputation: 15
Hmmm... I might not have done all my homework, it seems.

For some reason, GnuPG is using a 1024-bit DSA (without DSA2 enabled) with a SHA512 hash, which it really shouldn't do.

Anyone know anything about that?
Old 12-11-2007, 11:54 AM   #8
LQ Newbie
Registered: Dec 2007
Distribution: Debian 4.0r2 x86_64
Posts: 22

Rep: Reputation: 15
Hash: SHA1

Summary Edit - Clarified SHA1 vulnerability. Specified compatibility issues for DSA2 keys.

(Also, note: My standard key is a 1024/4096 DSA/ELG-E key, which uses SHA1. IMHO, it's more than secure enough for me.)
Version: GnuPG v1.4.7 (MingW32)

Old 07-07-2009, 09:39 AM   #9
Registered: Jun 2008
Posts: 76

Rep: Reputation: 19
doh, going to resurrect this one. GPG is switching to have RSA as default according to

One more reason RSA is better is because DSA depends heavily on a good random number generator what at least once happened to break security badly for many.
Old 07-07-2009, 12:26 PM   #10
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Originally Posted by avalonit View Post
doh, going to resurrect this one.
No, you're not.

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Which is better RSA or DSA public key? tarballedtux Linux - Security 12 02-03-2009 06:15 AM
ssh - rsa/dsa question. Infernal211283 Linux - Networking 1 12-25-2005 07:56 AM
Mulitiple RSA Keys Reformed Linux - Software 3 12-13-2003 02:02 PM
RSA vs DSA??? dm0nkz Slackware 1 02-06-2003 11:30 AM
SSH, DSA and RSA Rex_chaos Linux - Networking 0 03-22-2002 05:54 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:31 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration