4096 bit RSA keys instead of 2048 bit
Currently, 2048 bit PGP keys are used to encrypt emails. While this is secure now, it won't be in the future. 1024 bit keys are already considered within the range of being breakable. Someday, probably within the next 10 years as technology advances, 2048 bit keys will also become breakable. When this happens, adversaries will be able to decrypt everything. Some adversaries save encrypted copies of all messages, waiting for the day they'll be able to break keys so they can go back and decrypt messages from the past. Eventually 4096 bit keys will be broken too, but that would be so far into the future that better encryption systems will likely have been developed by then. For now, 4096 bit keys provide far better long-term security than 2048 bit ones, which should be considered short-term. ProtonMail ought to start making 4096 bit keys the default for new users. With fast modern computers, there's little reason not to use 4096 bit; most users won't notice a speed difference and their messages will gain many years of extra safety. For users on extremely old and slow machines, 2048 bit could be an option so they don't have to wait a long time to do crypto operations. Bottom line, if ProtonMail is meant for people to use long-term, then the keys should also be large enough to last long-term too.
-
Ri commented
This is all I want for 2018! Allow us to re-key up to 4096, ability to export our private key from PM, allow us to re-key our encryption whenever.
I know for sure I was able to follow a guide online and with not too much work locally reverse engineer the login flow with Chrome Dev Tools and end up with the current 2048 PGP private key to a test account. Which doesn't mean it would be easy for someone else or some rouge extension to do it, but it's certainly possible. So I feel like ability to re-key is a must. -
Edmund Laugasson commented
Also waiting this feature for existing account. Also waiting to create 4096-bit keys for each alias and also creating aliases at all.
-
Stephen Diniz commented
Great work Proton Mail Team! Looking forward to the Keychain Manager for existing accounts. I would like to change my key to 4096 bit :)
-
zyx commented
Is the team looking into quantum-proof encryption?
-
Mark Z commented
Today, the only hypothetically feasible way to break a 2048+ bit RSA key is with quantum computing, which as of today does not exist in the form that would be necessary for this to happen.
The US government, with a cryptanalysis budget of over $1B, can possibly break no more than a dozen 1024 bit keys per year, each for a price of around $100M. These numbers were published in several studies before. Breaking 2048+ is a different matter entirely and it is not feasible today with modern super computers and will not be practical in the next 100 years either, even for state actors, at least not on any scale. Don't forget also that RSA and symmetrical algorithms in general do not scale linearly when more bits are added (unlike many symmetrical algorithms). By increasing the key from 2048 to 4096, you are really only adding around 18 or so more bits of security, an increase of 16% or so. Barely worth it considering the impact on key storage and performance hit.
When and if quantum computing arrives, then any RSA key size will be at risk of being factored quickly using Shor's algorithm. With enough qubits, it won't matter how many bits of RSA you have. Quantum resistant algorithms would need to be developed when and if that happens.
For now, and probably in your lifetime, you should do well with a 2048 bit key. When quantum computing finally comes out of infancy, then all bets are off.
-
nerpherpderp commented
@ Name Surname
> But when willl they change it to 4096 bit RSA?
I assume once they finish their proposed Keychain Manager. You're asking for a specific date, and I doubt they know that themselves.
First, it has to be implemented. Then tested, then perhaps more formally announced for release. At that point maybe there is a specific release date when it is available.
-
Name Surname commented
@nerpherpderp
But when willl they change it to 4096 bit RSA?
Also there should be a way to check by yourself which you have.
-
nerpherpderp commented
@ Name Surname
See what the Admin wrote above on May 27, 2016:
> New accounts now have the ability to be created using 4096 bit keys. We are working to build a Keychain manager for existing accounts. https://protonmail.com/blog/protonmail-beta-v3-1-release-notes/
-
Name Surname commented
What happens to accounts that were created with 2048 bit RSA keys? Are you going to upgrade them to 4096 bit RSA and when will this happen?
-
Mick commented
The only solution out there that does this BY DEFAULT is mailfence.com - where they generate a 4096 bit key-pair for every user, without affecting (or little to none) the speed of their web suite.
For me this is a BIG DEAL !!! -
lbort commented
According to this page pasted below, it is possible to set 4096 bit for new addresses. I just signed up today, and aparently the key for the main address is 2048 bit, and this can not be changed. Why do you not let us choose, if you support 4096 bit keys? Should be an easy choice, no?
https://protonmail.com/support/knowledge-base/aliases-within-protonmail/ -
Paul commented
I see that new accounts have the option of 4096 bit keys (I saw this when adding new email addresses to my personal domain). Is there any way of changing my current accounts from a 2048 bit key to a 4096 key - I would want this for my main protonmail account and my existing personal domain accounts.
-
Anonymous commented
with the help of hum Cluster , will not be nothing impossible to break 1024 && 2048 bits
-
Anonymous commented
The OP is interested in perfect forward secrecy.
Some elliptic curve algorithms rely on random numbers. Good random number generators come in two flavors: cryptographically secure, and cryptographically insecure. Which one do you have? True randomness would be even better, but it requires some hardware.
-
Anonymous commented
This may sound a little too futuristic. But I feel the need to remind everyone that quantum computers are on their way not too far in the future. Prototype versions which still aren't completely operational are already in the labs, and are receiving a huge hand from governments. Just saying, but for true long term privacy, we need to slowly start developing a new method of encryption. Experts say that once quantum computers phase in those monster computers could break conventional RSA, Bank/Military grade encryption in mere seconds.
-
Anonymous commented
I would like to add to this the option for ECC instead of RSA
-
Anonymous commented
We should at least have the option of higher bit keys for those who have decent computers that can handle it.
-
Anonymous commented
Use of 4096-bit RSA keys usually comes from a misunderstanding about the security benefits. They are negligible. The costs, however, are high (in comparison with the gains): more expensive in computer resources, less interoperability with OpenPGP implementations that don't handle 4096-bit keys.
See the GnuPG project's FAQ:
— “Why doesn’t GnuPG default to using RSA-4096?”[1]
— “Why do people advise against using RSA-4096?”[2]
— “Why does GnuPG support RSA-4096 if it’s such a bad idea?”[3]If we want more security, the two ways to go are elliptic curve cryptography, which allows us to have higher security with much smaller keys, and post-quantum cryptography[4], which allows us to be safe from potential future quantum computers (Peter Shor has formulated a quantum algorithm able to solve the factoring problem in polynomial time[5], breaking current RSA public-key cryptosystems).
[1]: https://gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
[2]: https://gnupg.org/faq/gnupg-faq.html#please_use_ecc
[3]: https://gnupg.org/faq/gnupg-faq.html#not_a_bad_idea_just_unnecessary
[4]: https://en.wikipedia.org/wiki/Post-quantum_cryptography
[5]: https://en.wikipedia.org/wiki/Shor's_algorithm -
Anonymous commented
To the previous commenter: 4096-bit keys are considered the current maximum. PGP software doesn't usually even have options for going beyond 4096. Using 4096-bit instead of 2048-bit results in exactly the scenario you describe because it makes attacks significantly more time-consuming and costly for adversaries.
While it's helpful to protect keys with a high number of hash iterations, you should really be relying on a strong password instead of on the number of hashes. Increasing the hash iterations won't significantly slow down an attacker who is using a large GPU cluster to brute-force your key's password, and it will make your own encryption/decryption steps take much longer. Increasing the length and randomness of your password is better because an attacker then has to continue brute-forcing for years/centuries/millenia more before cracking your password, while you only have to memorize a little more text.
-
Anonymous commented
They should use beyond 4096-bit keys (since it is all done on the client side .. key generation should be in the control of account holders) .. They should make it both costlier and time-consuming for adversaries even if Protoinmail does eventually comply with US requests and is forced to turn over encrypted mailboxes. In fact, the PGP keys should not be protected using the present method - more iterations are needed to resist key brute-force.