I am not saying symmetric keys are better than public key auth. I am saying that applying an 80-bit security level (RSA/DSA1024) today offers a false sense of security. You might as well not authenticate the messages.
-----Original Message----- From: Ace [mailto:[email protected]] On Behalf Of Michael StJohns Sent: Wednesday, February 08, 2017 5:48 PM To: [email protected] Subject: Re: [Ace] Asymmetric signature performance On 2/8/2017 10:56 AM, Panos Kampanakis (pkampana) wrote: > One correction: 1024-bit RSA/DSA is not the same security level as 256-bit > curve ECDSA or Ed25519. But neither is a group symmetric key of any sized used for authentication/authorization. The point is that weaker but good enough security on the asymmetric side is going to be a better solution than ANY group symmetric key. NIST et al have given some guidance about key strengths and their uses with respect to the broadest set of threats and following the guidance is pretty much good engineering. But, looking at something like RSA 1024 bit (or the ECDSA equivalent of about 166 bits - I think that's the right number), and looking at the threat environment for the target application, and noting that it's trivial (protocol wise) to change out the size of the key (e.g. scale it) in higher threat environments, 1024/166 bits may not be a bad choice for minimum security for non-man rated IOT control things. Mike > To compare apples to apples you would need 3072-bit RSA/DSA sigs which ends > up being far worse in terms of sig size and performance. > > Agreed that symmetric group key auth has plenty of limitations. > > Panos > > > > -----Original Message----- > From: Ace [mailto:[email protected]] On Behalf Of Michael StJohns > Sent: Tuesday, February 07, 2017 9:55 PM > To: [email protected] > Subject: [Ace] Asymmetric signature performance > > Hi - > > This is sort of non-obvious, but one or two articles I read suggest that RSA > 1024 performance may be better than the ECDSA equivalent. > > The tradeoff here is obviously the size of the signature and the transmission > thereof, but... > > While 1024 bits isn't an ideal security strength for RSA, using any > asymmetric key system for source authentication in group systems is going to > be much better than trying to pretend that symmetric group key systems have > any authentication properties at all. > > I saw a PPT presentation by Hannes that didn't include any RSA performance > numbers for the ARM processors even though the key sizes were compared. My > guess is that someone has numbers for 1024 RSA signatures on the tiny ARM > processors that might be useful to throw into the mix. > > https://www.cryptopp.com/benchmarks.html has comparison values for a specific > library. > > What I'm suggesting is that we figure out how to meet the "can't cost > anything" requirement with weaker asymmetric keys rather than accepting a low > end fantasy of symmetric key multicast authentication. > > Mike > > > > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
