On 2/8/2017 10:56 AM, Panos Kampanakis (pkampana) wrote:
One correction: 1024-bit RSA/DSA is not the same security level as 256-bit curve ECDSA or Ed25519.
But neither is a group symmetric key of any sized used for authentication/authorization.
The point is that weaker but good enough security on the asymmetric side is going to be a better solution than ANY group symmetric key.
NIST et al have given some guidance about key strengths and their uses with respect to the broadest set of threats and following the guidance is pretty much good engineering. But, looking at something like RSA 1024 bit (or the ECDSA equivalent of about 166 bits - I think that's the right number), and looking at the threat environment for the target application, and noting that it's trivial (protocol wise) to change out the size of the key (e.g. scale it) in higher threat environments, 1024/166 bits may not be a bad choice for minimum security for non-man rated IOT control things.
Mike
To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends up being far worse in terms of sig size and performance. Agreed that symmetric group key auth has plenty of limitations. Panos -----Original Message----- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael StJohns Sent: Tuesday, February 07, 2017 9:55 PM To: ace@ietf.org Subject: [Ace] Asymmetric signature performance Hi - This is sort of non-obvious, but one or two articles I read suggest that RSA 1024 performance may be better than the ECDSA equivalent. The tradeoff here is obviously the size of the signature and the transmission thereof, but... While 1024 bits isn't an ideal security strength for RSA, using any asymmetric key system for source authentication in group systems is going to be much better than trying to pretend that symmetric group key systems have any authentication properties at all. I saw a PPT presentation by Hannes that didn't include any RSA performance numbers for the ARM processors even though the key sizes were compared. My guess is that someone has numbers for 1024 RSA signatures on the tiny ARM processors that might be useful to throw into the mix. https://www.cryptopp.com/benchmarks.html has comparison values for a specific library. What I'm suggesting is that we figure out how to meet the "can't cost anything" requirement with weaker asymmetric keys rather than accepting a low end fantasy of symmetric key multicast authentication. Mike _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace