[EMAIL PROTECTED] (Peter Gutmann) writes: > I would go further and say that for most applications of PKCs/PKI > today, 1024- bit RSA keys are not a risk at all, or more > specifically that on a scale of risk they're so far down the list > that they're close to negligible. As numerous security HCI studies > have shown, user comprehension of PKI is close to zero percent, > which means that the security effectiveness of the same is also > close to zero.
Although I agree that key cracking is not a threat we should concern ourselves with by a long shot, that does not mean that changing to larger keys is not cost effective. This is because larger keys are essentially free -- it costs no more (for most applications) to generate a 2048 bit key than a 1024 bit key, so there is no incentive not to. However, I violently agree that no one should be under the illusion that longer keys will protect them from the most realistic security threats. (For those applications where longer keys actually will cost significantly and the value of the keys is low, the calculation changes and there is little or no reason to upgrade.) > As the multi-billion dollar phishing industry has > ably demonstrated, the bad guys are more than aware of this too. So > going from x- bit RSA to y-bit RSA on a component with close to > zero-percent effectiveness is... well, I'll let you do the maths. https with X.509 certs is not the only application of RSA keys, of course. There are a significant number of applications where the keys actually do work reasonably effectively, and the real threat is not phishing but code bugs. Still, in spite of the fact that no one is, say, formally validating openssh, it costs nothing to request a 2048 bit key instead of a 1024 bit key, and I'm not sure it is a bad idea to do that on an opportunistic basis. Even for https, it costs no more to type in "2048" than "1024" into your cert generation app the next time a cert expires. The only potential cost is if you're so close to the performance line that slower RSA ops will cause you pain -- otherwise, it is pretty much costless. For average people's web servers most of the time, connections are sufficiently infrequent and RSA operations are "fast enough" that it makes no observable difference. > Until the hundred other constituent parts required to secure > something like web browsing are fixed, changing the key size is just > pointless posturing, since it's not fixing anything that anyone is > attacking. Once all the other bits are fixed and working as > intended, then we can go back to debating whether length is more > important than width in key sizes. I'm not sure I entirely buy the argument. Certainly there are other far more (overwhelmingly more) important issues, and certainly a steel door helps little in a tissue paper wall, but that is no reason to let the door slowly rust away while you rebuild the wall, especially if protecting it from rust is literally effortless. At the same time, I'll agree that reading this argument is itself probably more expensive than the benefit longer key length is likely to provide someone in the near future. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]