Kan-Ru Chen's Weblog

Created a 4096 bit GPG key to replace my 1024 bit one

In light recent new attacks against SHA-1 [1,2], and the NIST guidance on 1024 bit keys and SHA-1 hashes [3,4], I have decided to move to a new OpenPGP key of a larger size. As such, I will be slowly transitioning away from my old key.

因應最近的幾起 SHA-1 攻擊 [1,2], 興起了一陣更新 OpenPGP 金鑰的風潮. 我也會慢慢過渡到新的金鑰.

My old key will continue to be valid for some time to come, but I'd prefer all new correspondence to use the new one. I'll also be switching my outgoing signatures (email and code) onto the new key. For this to work well, I'd like my new key to be re-integrated into the web of trust. So, I've signed this message with both the old and the new keys, to certify the transaction.

舊的金鑰還可以持續使用一陣子, 但我還是希望未來大家都可以改用新的金鑰. 我也會改用新的金鑰來簽署 email 和文件. 為了讓一切順利進行, 最好是新的金鑰可以被加到信任網中.

the old key was:

舊的金鑰是:

    pub   1024D/365CC7A2 2004-06-28 Kanru Chen (koster)
     Primary key fingerprint: 3278 DFB4 BB28 6E8C 9E1F  1ECB B1B7 5B5F 365C C7A2

And the new key is:

新的金鑰是:

    pub   4096R/CEC6AD46 2009-10-19 Kan-Ru Chen (陳侃如)
     Primary key fingerprint: 374F F2AD 0A12 935F D0B0  C84F 1B13 2E01 CEC6 AD46

To fetch my new key from a public key server, you can simply do:

使用以下命令, 可以從公開金鑰伺服器取得我的新金鑰:

    gpg --keyserver pgp.mit.edu --recv-key CEC6AD46

If you already know my old key, you can now verify that the new key is signed by the old one:

如果您己經有我的舊鑰, 您可以確認我的新鑰己由舊鑰簽名.

    gpg --check-sigs CEC6AD46

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

如果您不知道我的舊鑰, 或只是想再次確認, 您可以檢查上面的指紋.

    gpg --fingerprint CEC6AD46

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key:

如您確定拿到對的金鑰了, UIDs 也如預期, 能就此簽署我的新鑰是在好不過.

    gpg --sign-key CEC6AD46

Lastly, if you could upload these signatures, I would appreciate it. Please could you just upload the signatures to a public keyserver directly:

若您簽署之後可以把簽名上傳到公開金鑰伺服器就太好了.

    gpg --keyserver pgp.mit.edu --send-key CEC6AD46

Please let me know if there is any trouble, and sorry for the inconvenience.

過程中若有什麼問題請讓我知道, 抱歉帶來不便.

Thanks, Kanru

Sign 過的版本, 用 gpg --verify 驗證

  1. http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
  2. http://www.debian-administration.org/users/dkg/weblog/48
  3. http://csrc.nist.gov/groups/ST/hash/statement.html
  4. http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf