Groups | Search | Server Info | Login | Register
Groups > comp.security.pgp.tech > #4
| From | Lucian Solaris <luciansolaris@gmail.com> |
|---|---|
| Newsgroups | comp.security.pgp.tech, alt.security.pgp |
| Subject | Re: gnupg2 modified to generate 16384 bits RSA key |
| Date | 2011-05-20 08:27 -0700 |
| Organization | http://groups.google.com |
| Message-ID | <d1019256-b44c-4cc2-8143-723123f4864f@l14g2000pro.googlegroups.com> (permalink) |
| References | <14e417f17b3cb247f87eb7c943e9800c@rip.ax.lt> <ir3r6a$ehs$1@dont-email.me> |
Cross-posted to 2 groups.
On May 19, 12:31 pm, 1PW <1...@INVALID.net> wrote:
> On 5/18/2011 3:29 PM, Anne Onime wrote:
>
>
>
> > I wanted to generate the RSA gnupg key with length of 16384 bits.
> > Previously it was sufficient to increase the maximum key length:
>
> > --- gnupg2-2.0.17.orig/g10/keygen.c
> > +++ gnupg2-2.0.17/g10/keygen.c
> > @@ -1774,7 +1774,7 @@ ask_algo (int addmode, int *r_subkey_alg
> > static unsigned
> > ask_keysize (int algo, unsigned int primary_keysize)
> > {
> > - unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=4096;
> > + unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=16384;
> > int for_subkey = !!primary_keysize;
> > int autocomp = 0;
>
> > Now it appears, that the above modification is not sufficient.
> > Generation of key ends with out of memory error.
> > To succesfully generate the 16k bit RSA key one needs to increase
> > amount of allocated "secure memory":
>
> > --- gnupg2-2.0.17.orig/g10/gpg.c
> > +++ gnupg2-2.0.17/g10/gpg.c
> > @@ -2050,7 +2050,7 @@ main (int argc, char **argv)
> > #endif
>
> > /* Initialize the secure memory. */
> > - if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0))
> > + if (!gcry_control (GCRYCTL_INIT_SECMEM, 65536, 0))
> > got_secmem = 1;
> > #if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
> > /* There should be no way to get to this spot while still carrying
>
> > After above modifications I was able to successfully generate 16384 bits RSA
> > key.
>
> As this has all the outward appearances of a friendly enhancement, I
> hope you have considered requesting this be included in future
> official updates by "The GnuPG Team".
I made this modification a long time ago in my copy. Also you may
need to quadruple or more the MPI reserved memory and the secure
memory allocation. I've got mine set to max out at 65536; however,
32768 is the largest I've attempted and the largest I've generated (1
week on P4 3Ghz HT). My copy also has the ECC patches applied, so at
least my copy is ECC capable (though I don't vouch for its security as
I have too limited a knowledge in cryptography to test it).
Also, I'd go through the keygen.c file and seek out the q-bits
variable and make it selectable. My DSA2 keys all sign 512-bit sha512
hashes without truncation, unlike the unmodified versions which
truncate off anything beyond 256 bits. I also highly recommend you
set dsa2 as default behavior without the command-line argument or
config file setting, as DSA2 kicks DSA's butt with larger keysizes.
I've reliably generated 16384 bit DSA2 keys.
One more note, any key above 16384 bits WILL NOT IMPORT, VERIFY WITH,
OR ENCRYPT TO any unmodified versions of GnuPG 1.4. Keys at 16384
bits should work fine for encryption and verification on unmodified
GnuPG installations; however, private keys used for decryption/
signatures may still fail due to an inappropriately small MPI object
size and not enough secure memory allocated.
Happy Hacking, and Encrypting!
Back to comp.security.pgp.tech | Previous | Next — Previous in thread | Next in thread | Find similar
gnupg2 modified to generate 16384 bits RSA key Anne Onime <anonymous@rip.ax.lt> - 2011-05-19 00:29 +0200
Re: gnupg2 modified to generate 16384 bits RSA key 1PW <1PW@INVALID.net> - 2011-05-19 12:31 -0700
Re: gnupg2 modified to generate 16384 bits RSA key Lucian Solaris <luciansolaris@gmail.com> - 2011-05-20 08:27 -0700
Re: gnupg2 modified to generate 16384 bits RSA key wzab01@gmail.com - 2014-11-01 08:38 -0700
csiph-web