Allow RSA 2048 and 4096 bit keys

hello,

would it be possible to add an option allowing the user to create 2048 and 4096 bit rsa keys? the story that the keys are too big is a false story with 5G. even the NSA no longer recommends ECC keys.

However, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about quantum computing attacks on ECC.

Wikipedia reference you quoted does not say that RSA is more secure than ECC. It advises not to spend effort to transition from RSA to ECC to avoid a second transition from ECC to quantum resistant algorithms: “For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.” This is from the page about Suite B which is outdated now: Commercial National Security Algorithm Suite

Commercial National Security Algorithm Suite - Wikipedia has some more references and says 3072-bit RSA is now supported (probably for legacy reasons) and does not introduce any quantum-resistant algorithms yet, probably because they are still experimental and not too well researched, while the risk of quantum computers becoming generally available soon was overestimated in 2015. 2048-bit RSA is considered insecure according to this new standard. Basically the advice boils down to “upgrade to ECC if you use less than 3072-bit RSA, keep using ECC if you have already transitioned to ECC and don’t bother transitioning to ECC from 3072-bit or 4096-bit RSA otherwise as you will probably need to transition to quantum-resistant algorithms again in the not so distant future”.

RSA is not quantum resistant too, in fact Shor’s algorithm is designed for integer factorization and directly applies to breaking RSA keys. In case quantum algorithms become practically available, both RSA and ECC will fail quickly. But I expect that practical quantum-resistant algorithms will become available in libraries like OpenSSL first, at which point we will switch to them. Wire did some research into quantum-resistant algorithms at some point and AFAIK did not adopt them in their messenger: https://wire.com/en/blog/post-quantum-resistance-wire/ So I think a pragmatic solution is to keep using ed25519 and wait for standards for quantum-resistant algorithms approved by experts and merged into TLS, SSH and similar standard ciphersuites. If quantum computers become available before this point, we will have much bigger problems to solve than trying to keep our emails secure.

I have no idea how 5G is related, AFAIK wireless networks use symmetric encryption most of the time and it does not matter much which asymmetric encryption (RSA/ECC) is used during session establishment as it happens only when you connect to the network.

But on the application level, like in Delta Chat, RSA keys sent in each Autocrypt header indeed waste more traffic for the same level of security than ed25519 keys we use now. Ask Delta Chat users who don’t have unlmited traffic, for example @adbenitez :slight_smile:

If you really want to use RSA, I would recommend at least not to use less secure 2048-bit keys. You can generate 3072-bit key or 4096-bit key manually and import it into Delta Chat if you want, but be aware that it will result in significantly larger Autocrypt headers and no practical security benefit.

1 Like

By the way, previously Delta Chat used RSA 2048 keys and there is still an option to do this. It is just not exposed in the UI and only used during the tests to test for compatibility with old RSA versions of Delta Chat. This was changed to Ed25519 during the effort to reduce traffic and there is a screenshot showing how much smaller Ed25519 keys are, RSA key did not even fit on the screen: Saving Network Traffic - Delta's Efforts to Reduce the Message Size - Delta Chat

1 Like