Jerry Leichter <leich...@lrw.com> writes: >> Do we really believe we won't be able to >> attack a 1024 bit key with a sufficiently large budget even in 10 >> years? ... > > Currently, the cryptographic cost of an attack is ... 0. How many > attacks have there been? Perhaps the perceived value of owning part > of DNS isn't as great as you think.
Actually, there are routine attacks on DNS infrastructure these days, but clearly they're not cryptographic since that's not deployed. However, a large part of the point of having DNSSEC is that we can then trust the DNS to be accurate so we can insert things like cryptographic keys into it. Once we've made the DNS trusted, we have the problem that people will go off and trust it, you see. I'm particularly concerned about the fact that it is difficult to a priori analyze all of the use cases for DNSSEC and what the incentives may be to attack them. If you can't analyze something, that's a warning that you don't understand the implications. That makes me fear anything that says "the key doesn't need to be more than strength X". Sure, perhaps it is true that the expense of DNSSEC isn't worth it -- we limp along without it now, as you point out -- but if that is true, what do we gain by deploying a system which could be compromised in so straightforward a way, with money being the only constraint? Why deploy at all if we aren't going to be able to use it as we want? If we can't trust the data very well, we've spent lots of time and money and gained nothing? I'm doubly questioning because it seems pointless anyway -- the point of the shorter keys is to avoid needing TCP connections to DNS servers, but so far as I can tell that will end up becoming rapidly necessary anyway, at which point one has to ask what one is gaining by lowering key length. BTW, I've come across some (old) estimates from Shamir et all that indicate a TWIRL machine that could break 1024 bit keys in a year would have cost about $10M something like 5 years ago using a 90nm process. At this point, with 32nm processes available, they'd be substantially cheaper, and thus with a serious budget it seems like we're really quite on the edge here. Even $10M may now be enough to break them fast enough if you can come up with a clever speedup of only a small factor, and I don't like trusting security to the idea that no one with a large budget is clever enough to find a small constant factor speedup. I presume that in another 10 years we'll have a quite serious reduction in cost, which is yet worse. All in all, that's too close for comfort, especially since I can see the point in a Large Bad Actor spending orders of magnitude more on this than just $10M. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com