[OK, let me try this again, since we clearly got off on the wrong foot here. My apologies for overreacting to Damien's post; I have been receiving dozens of emails from the far corners of the Net over the last few days that alternatively claimed that I was a stooge of the NSA because everybody knows that 8k RSA keys can be factored in real-time or that 512-bit RSA keys were untouchable since nobody could perform even perform an exhaustive search of a 128-bit key space...]
Damien wrote: > I am disputing that the improvements as presented are > practically relevant. Since you saw fit to cross-post to > openssh-unix-dev@, which is a list concerned with code (not > polemic), that is the context in which I chose to frame my reply. My post reported on what was announced at an academic cryptographic conference by a cryptographer that has written peer-reviewed papers on the design of large-scale cryptographic processing machines in the past. (I.e. how one would in practice build one of Rivest's MicroMint machines). I believe my relaying these claims was responsible given the potentially massive security implications to a good part of the infrastructure. In addition, a reporter for the Financial Times was present at the same event who announced his intent to write about it as well. Nowhere in the post did I make, or intent to make, claims of my own as to the impact of Bernstein's paper on factoring. I did report on my reaction to the claims which I witnessed and on which I therefore reported. My reaction to those claims was to create larger keys. Other may choose to react differently. Furthermore, I provided those concerned with the new claims with what I believe are sound recommendations how to counter the potential thread. Which was to increase the key size. [On Nicko's rump session talk that they factored 512-bit keys on the hardware in their office]. > You offer this aside in the context of an argument against > the insufficiency of 1024 bit RSA keys. Surely you don't > expect people to believe that you weren't including it to > bolster your argument? To be perfectly honest, the thought that somebody on a mailing list related to cryptographic software would consider my reporting on the news that somebody factored 512-bit keys on the computers in their office would believe I meant to imply this to have any bearing on a potential ability to factor 1024-bit keys on purpose-built hardware never even occurred to me. I really, really meant coincidentally when I wrote coincidentally. The two news came within a day of each other, so while reporting on one of the news, I thought I'd make mention of the other news as well. That's all. Well, on second thought I suppose there actually is an, albeit removed, connection between the two: many sites still use 512-bit keys; even if one is unconcerned about 1024-bit keys being breakable, hopefully those with 512-bit keys will take the fact that 512-bit keys can be broken by some office hardware as a reason to upgrade key sizes. [...] > You post is hyperbole because it is very long on verbiage and > very short on justification. Large claims require a good > amount of proof: If you expect everyone to switch to 2048 bit > keys on the basis of your rant alone, you may be disappointed. I don't really personally care what key sizes others use. For all I care, others are welcome to employ 4-bit RSA keys, as long as they don't use those keys to authenticate themselves to any of the machines under my control. Which brings me to an issue that I hope may be on-topic to this mailing list: I would like to be able to enforce that the keys my users can use to authenticate themselves to my sshd to be of a minimum size. Is there a config option to sshd that will reject user keys below a minimum size? I didn't see anything in the man pages or my first go through the code. Thanks in advance, --Lucky