I wasn't [specifically] referring to SSL. In fact, the mere premise of passing data designated as "must be protected" for a 20 year timeframe over 128 bit SSL (with a 1024 bit client key) frightens me to the core. (If the encryption of this data was protecting *you* from [we'll go on a limb here and be dramatic] an crime organization with tens of millions of dollars to devote to discovering who turned them in to the Feds, would *you* want it sent over a 1024 bit SSL link?!)
*THIS* is what's really wrong with the industry - we have people using technology in inappropriate situations. Too many who DO understand how to use it appropriately with the responsibilities, restrictions, and caveats that come with that understanding are either unable or unwilling to convince those in the position of "final decision maker" of just how WRONG certain applications/implementations actually are. Bottom line, if the available protocols & application cannot support the data protection requirements - DO NOT send the data over that link. For a baseline dissertation on key lengths for symmetric and asymmetric ciphers, please see: http://www.giac.org/practical/gsec/Lorraine_Williams_GSEC.pdf Additionally, RSA currently recommends 2048 bit keys for "extremely valuable keys". My gut says that knowing about devices like TWIRL, et al. make 2048 bit keys risky for long-term protection because God only knows what devices we *don't* know about. -dsp -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Arthur Chan Sent: Sunday, August 10, 2003 7:52 AM To: [EMAIL PROTECTED] Subject: Re: high-grade vs low-grade encryption with MD5 and DES Practicality : do not use 4096 bits server side private key. No, not even 2048. Key size larger than 1024 is not supported by those bollocky client browsers. Netscape and MSIE4 come to mind. Regards, Arthur Chan ----- Original Message ----- From: "Dave Paris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 07:34 PM Subject: RE: high-grade vs low-grade encryption with MD5 and DES > The "5 minutes" I mentioned doesn't implicitly refer to the amount of time > needed to crack the ciphertext, but more the type of data and the amount of > time it needs to be protected. > [...] > Example 2: > A "sealed" court case which is mandated to be sealed for 20 years needs to > be protected by a cipher capable of using a large enough keyspace to keep a > sustained attack against the data at bay for that 20 years. > > Herein lies the challenge in the practical utilization of cryptography... > how do we know what will protect data for 20 years? We don't. So we make > educated guesses. We make compromizes. We use "best-available". In the > example of the password above, 56 bit DES would be a reasonable choice. > It's fast, but weak - yet strong enough to keep that password encrypted for > the two or three - heck, six, minutes it would be attacked. (this is not to > say that one should use the weakest available cipher for any given problem > set! 3DES, AES, or Blowfish would be a much better choice in any case.) In > the example of the sealed court records, we're not worried about transaction > speed or decryption speed so an asymmetric cipher capable of utilizing a > 4096 bit (or larger!) private key is much more appropriate. [...] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]