From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1TtnPH-0006yN-Pc
	for mharc-grub-devel@gnu.org; Fri, 11 Jan 2013 17:48:59 -0500
Received: from eggs.gnu.org ([208.118.235.92]:40527)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1TtnNd-0006SX-JV
	for grub-devel@gnu.org; Fri, 11 Jan 2013 17:48:57 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1TtnMl-0007q2-9o
	for grub-devel@gnu.org; Fri, 11 Jan 2013 17:47:17 -0500
Received: from mail-ee0-f44.google.com ([74.125.83.44]:53367)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1TtnMk-0007my-QG
	for grub-devel@gnu.org; Fri, 11 Jan 2013 17:46:23 -0500
Received: by mail-ee0-f44.google.com with SMTP id l10so1123600eei.31
	for <grub-devel@gnu.org>; Fri, 11 Jan 2013 14:46:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=x-received:message-id:date:from:user-agent:mime-version:to:subject
	:references:in-reply-to:x-enigmail-version:content-type;
	bh=MBsLFW8mSTGyYo16WdtVTWNhgYIRjWK0Dv2a5CAQ/zE=;
	b=Mli/6F7ciZAdP9ZF4EzAmcp2i+BRi+4ZU9O9SqwUZv62fnkONESYaqYgD0DRI2l50B
	fEBAuzhjUDoCp+dfM1YszDad0eENxreRT5QgPIMFTnV21bk72d3sqWpwn/C+bmTpUKKf
	BFNFqaoCxcpqs3PmLdiaEftAA5s/7bOOV2r10LM0Mvjwsm5AeQpe/fKrxD0jtXU4lByc
	+4WeGw5/YbpIllWfAntmMxKoZ0+ajzTLsdvWcCCCv8pXhcDAEhwKN8k06iJLcipAZuGP
	/jqoRTM6imPzw1ofZEqm4wlQu7fVOijCc3rNUGdQEe+oPYeraci+RPXeK+wKrSYWmMe4
	fV/w==
X-Received: by 10.14.207.6 with SMTP id m6mr204499118eeo.10.1357944381914;
	Fri, 11 Jan 2013 14:46:21 -0800 (PST)
Received: from debian.x201.phnet (127-197.203-62.cust.bluewin.ch.
	[62.203.197.127])
	by mx.google.com with ESMTPS id f49sm10290999eep.12.2013.01.11.14.46.20
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Fri, 11 Jan 2013 14:46:21 -0800 (PST)
Message-ID: <50F09635.7060207@gmail.com>
Date: Fri, 11 Jan 2013 23:46:13 +0100
From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?=
	<phcoder@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:10.0.11) Gecko/20121122 Icedove/10.0.11
MIME-Version: 1.0
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: DSA GnuPG signatures
References: <50F07BFE.4050800@gmail.com>
	<20130111221447.GA26172@riva.dynamic.greenend.org.uk>
In-Reply-To: <20130111221447.GA26172@riva.dynamic.greenend.org.uk>
X-Enigmail-Version: 1.4.1
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="------------enig97A3D544094BCDE282F021D4"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 74.125.83.44
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 22:48:57 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig97A3D544094BCDE282F021D4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11.01.2013 23:14, Colin Watson wrote:

> On Fri, Jan 11, 2013 at 09:54:22PM +0100, Vladimir '=CF=86-coder/phcode=
r' Serbinenko wrote:
>> 1) DSA keys only. RSA is more tricky since it needs padding and RSA
>> should be progressively phased out, not put into new places due to som=
e
>> vulnerabilities (large classes of semiprimes are factorisable up to th=
e
>> point when a lot of care has to be taken to avoid them).
>=20
> This is highly questionable.  DSA is particularly sensitive to
> low-entropy situations and has various other systemic vulnerabilities
> that RSA doesn't have, mainly to do with the extreme sensitivity of k.
> For example, when Debian had its notorious OpenSSL vulnerability
> involving poor random number generation, RSA keys that were generated o=
n
> a system with the vulnerability were indeed compromised; but DSA keys
> were compromised even if they were only ever used to generate a single
> signature on a system with the vulnerability!  Knowledge of even a few
> bits of k is sufficient to recover a DSA private key if you collect a
> relatively small number of signatures made by that key (say, rather les=
s
> than the number of modules shipped by GRUB).  This is the sort of thing=

> that makes me want to avoid a cipher, particularly for something like
> GRUB where it's quite possible that you might find yourself needing to
> sign things in situations where only limited entropy is available, even=

> though the key might well have been generated in better conditions.
>=20

Most schemes that need random, need a very good random numbers. That's
why GRUB doesn't use anything needing random. And that's why sign
functions are removed altogether.

> RSA with a decent key length is perfectly fine and there is no call tha=
t
> I'm aware of to phase it out.  Rather to the contrary, DSA is the one
> that I would normally prefer to avoid except where dictated by
> compatibility considerations.
>=20
> Assuming that the semiprimes you're referring to are those in
> https://en.wikipedia.org/wiki/RSA_numbers, nobody appears to have got
> any further than 768 bits.  That would be a tiny key by modern
> standards; I've been using 4096 bits everywhere for a few years now, an=
d
> of course the difficulty of factoring scales up much faster than
> linearly in the key length.  I am not aware (and
> https://en.wikipedia.org/wiki/RSA_%28algorithm%29#Integer_factorization=
_and_RSA_problem
> would appear to agree) of any suggestions that >=3D4096-bit keys might =
be
> considered weak any time soon.
>=20

(AFAIR) Would need to recheck to be exact
=46rom the p and q you can compute 2 numbers: 0 < alpha, beta < 1. And if=

they are small, you can factorise pq even for long keys. There is a
supposition that you could extend these algorithms up to when
0<alpha<0.5 or 0<beta<0.5 or about 75% of possible keys. This was
discovered in 90's and required some adjustments to key generation and
big key regenerations. Keys generated today should be safe. Other
undesirable properties are mitigated by padding.

> Please reconsider.
>=20

Ok. Let's move the "opinion" from "not accepted" to "patches are
welcome". The missing part is mainly the padding which is detailed in
RFC4880.

--=20
Regards
Vladimir '=CF=86-coder/phcoder' Serbinenko


--------------enig97A3D544094BCDE282F021D4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREKAAYFAlDwljUACgkQNak7dOguQgn4xwD/Z3NOaA6iFmjaQ0QbuuMCVJmo
0yJSrM+MOqogZfVWnsoA/jY23x8c9jWw52wyosBghu5Q6Jb/3CM4eg40OUUw0KdA
=5AVo
-----END PGP SIGNATURE-----

--------------enig97A3D544094BCDE282F021D4--