On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote: > (Note that this assumes no cryptographic breakthroughs like doing > discrete logs over prime fields easily or (completely theoretical > since we don't really know how to do it) sabotage of the elliptic > curve system in use.) > > Given that many real organizations have hundreds of front end > machines sharing RSA private keys, theft of RSA keys may very well be > much easier in many cases than broader forms of sabotage.
There is also I suspect a lot of software with compiled-in EDH primes (RFC 5114 or other). Without breaking EDH generally, perhaps they have better precomputation attacks that were effective against the more popular groups. I would certainly recommend that each server generate its own EDH parameters, and change them from time to time. Sadly when choosing between a 1024-bit or a 2048-bit EDH prime you get one of interoperability or best-practice security but not both. And indeed the FUD around the NIST EC curves is rather unfortunate. Is secp256r1 better or worse than 1024-bit EDH? -- Viktor. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography