On Sun, 26 Nov 2000, Benjamin Scott <[EMAIL PROTECTED]> wrote:
> On Sun, 26 Nov 2000, Kenneth E. Lussier wrote:
> > I won't use anything less than 4096-bit for authentication keys. To some,
> > that may be considered overkill, but to me it's plain old common sence.
>
> I think Derek's point was that it isn't common sense at all.
>
> A 1024-bit key will take some unimaginably huge number of years to factor.
> So many years, in fact, that even if Moore's Law holds indefinitely, you still
> couldn't cover the entire keyspace before the end of the universe (or
> something like that).
>
> Increasing the key length to 4096 bits thus provides *zero* additional
> protection, while wasting company resources -- i.e., wasting money.
You might want to be a little bit cautious here because the success of
cracking RSA (and other PPK schemes) depends critically on the cracking
*algorithm*. If you keep the algorithm fixed, your Moore's Law
estimates hold.
However the algorithms do improve, sometimes with surprising results.
For RSA, the factoring of large integers is the algorithm currently
used the crack that system. In 1977 Ron Rivest (the 'R' in RSA and rc4,
rc5, ...) predicted the time to factor a 415 bit number would take 40
quadrillion years (many times the age of the universe). However, in
1994 a 428 bit number was factored. And last year a 514 bit number was
factored:
http://www.rsasecurity.com/rsalabs/challenges/factoring/rsa155.html
These improvements were due mostly to factoring algorithm improvements,
not so much the availiblity of more CPU power.
Now, I'm not saying a 1024 bit RSA key is not "enough". Depends a bit
on how long you want to keep the information secret. For a few years
I'd opt for a 1024 bit key. For a few decades I'd probably lean toward
a somewhat longer key (2048 - 4096?). But who knows what will come to
pass on that time scale.
Also, chances are there is no (bad?) person or government that has a
fast factoring algorithm and is currently keeping it secret. But
wouldn't that be an amusing situation if an algorithm that could
efficiently factor 1024 bit numbers was suddenly dropped in our laps!!!
FWIW, I believe the RSA algorithm scales as the cube of the number of
bits. So for most (but not all! e.g. high volume SSL site) applications
one could jack up the RSA key size a fair amount (say factor 2 - 4)
before being noticed. It depends on the number of RSA encryption of
session keys per second the machine is performing.
Anyway, BEN, I am not advocating 4096 RSA keys. I'm just supplying
additional geeky information for those interested in these subtleties.
And I actually believe a sysadmin should probably know a little bit
about these things (and other sorts of attacks on PPK)
As always, Schneier's "Applied Crytography" has all the gory details.
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
