Keys
======== 4. Keys ======== 4.1. Which key size should I use? PGP gives you three choices for key size: 512, 768, or 1024 bits. You can also specify the number of bits your key should have if you don't like any of those numbers. The larger the key, the more secure the RSA portion of the encryption is. The only place where the key size makes a large change in the running time of the program is during key generation. A 1024 bit key can take 8 times longer to generate than a 384 bit key. Fortunately, this is a one time process that doesn't need to be repeated unless you wish to generate another key pair. During encryption, only the RSA portion of the encryption process is affected by key size. The RSA portion is only used for encrypting the session key used by the IDEA. The main body of the message is totally unaffected by the choice of RSA key size. So unless you have a very good reason for doing otherwise, select the 1024 bit key size. Using currently available algorithms for factoring, the 384 and 512 bit keys are just not far enough out of reach to be good choices. If you are using MIT PGP 2.6.2, ViaCrypt PGP 2.7.1, or PGP 2.6.2i, you can specify key sizes greater than 1024 bits; the upper limit for these programs is 2048 bits. Remember that you have to tell PGP how big you want your key if you want it to be bigger than 1024 bits. Generating a key this long will take you quite a while; however, this is, as noted above, a one-time process. Remember that other people running other versions of PGP may not be able to handle your large key! ======== 4.2. Why does PGP take so long to add new keys to my key ring? The time required to check signatures and add keys to your public key ring tends to grow as the square of the size of your existing public key ring. This can reach extreme proportions. Gary Edstrom remarked (a long time ago): I just recently added the entire 850KB public key ring form one of the key servers to my local public key ring. Even on my 66MHz 486 system, the process took over 10 hours. ======== 4.3. How can I extract multiple keys into a single armored file? A number of people have more than one public key that they would like to make available. One way of doing this is executing the "-kxa" command for each key you wish to extract from the key ring into separate armored files, then appending all the individual files into a single long file with multiple armored blocks. This is not as convenient as having all of your keys in a single armored block. Unfortunately, the present version of PGP does not allow you to do this directly. Fortunately, there is an indirect way to do it. I would like to thank Robert Joopfor supplying the following method which is simpler than the method that I had previously given. solution 1: pgp -kxaf uid1 > extract pgp -kxaf uid2 >> extract pgp -kxaf uid3 >> extract Someone who does a `pgp extract` processes the individual keys, one by one. that's inconvinient. solution 2: pgp -kx uid1 extract pgp -kx uid2 extract pgp -kx uid3 extract This puts all three keys into extract.pgp. To get an ascii amored file, call: pgp -a extract.pgp You get an extract.asc. Someone who does a `pgp extract` and has either file processes all three keys simultaneously. A Unix script to perform the extraction with a single command would be as follows: #!/bin/csh foreach name (name1 name2 name3 ...) pgp -kx $name /tmp/keys.pgp end or: #!/bin/sh for name in name1 name2 name3 ... ; do pgp -kx $name /tmp/keys.pgp end An equivalent DOS command would be: for %a in (name1 name2 name3 ...) do pgp -kx %a keys.pgp ======== 4.4. I tried encrypting the same message to the same address two different times and got completely different outputs. Why is this? Every time you run PGP, a different session key is generated. This session key is used as the key for IDEA. As a result, the entire header and body of the message changes. You will never see the same output twice, no matter how many times you encrypt the same message to the same address. This adds to the overall security of PGP. ======== 4.5. How do I specify which key to use when an individual has 2 or more public keys and the very same user ID on each, or when 2 different users have the same name? Instead of specifying the user's name in the ID field of the PGP command, you can use the key ID number. The format is 0xNNNNNNNN where NNNNNNNN is the user's 8 character key ID number. It should be noted that you don't need to enter the entire ID number, a few consecutive digits from anywhere in the ID should do the trick. Be careful: If you enter "0x123", you will be matching key IDs 0x12393764, 0x64931237, or 0x96412373. Any key ID that contains "123" anywhere in it will produce a match. They don't need to be the starting characters of the key ID. You will recognize that this is the format for entering hex numbers in the C programming language. For example, any of the following commands could be used to encrypt a file to my work key: pgp -e "Jeff Licquia" pgp -e licquia@cei.com pgp -e 0xCF45DD0D This same method of key identification can be used in the config.txt file in the "MyName" variable to specify exactly which of the keys in the secret key ring should be used for encrypting a message. ======== 4.6. What does the message "Unknown signator, can't be checked" mean? It means that the key used to create that signature does not exist in your database. If at sometime in the future, you happen to add that key to your database, then the signature line will read normally. It is completely harmless to leave these non-checkable signatures in your database. They neither add to nor take away from the validity of the key in question. ======== 4.7. How do I get PGP to display the trust parameters on a key? You can only do this when you run the -kc option by itself on the entire database. The parameters will NOT be shown if you give a specific ID on the command line. The correct command is: "pgp -kc". The command "pgp -kc smith" will NOT show the trust parameters for smith. ======== 4.8. How can I make my key available via finger? The first step is always to extract the key to an ASCII-armored text file with "pgp -kxa". After that, it depends on what type of computer you want your key to be available on. Check the documentation for that computer and/or its networking software. Many computers running a Unix flavor will read information to be displayed via finger from a file in each user's home directory called ".plan". If your computer supports this, you can put your public key in this file. Ask your system administrator is you have problems with this.