On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:

> > Given that they are attempted to optimize for minimal packet size, the
> > choice of RSA for signatures actually seems quite bizarre.

> Each of these records is cached on the client side, with a very long
> timeout (e.g. at least a day).  So the total extra data transfer for
> RSA (versus other) keys won't be either huge or frequent.  DNS traffic
> is still a tiny fraction of overall Internet traffic.

Yes, normal DNS traffic is not the issue.

The optimization is for DDoS conditions, especially amplification via
forged source IP DNS requests for ". IN NS?". The request is tiny,
and the response is multiple KB with DNSSEC.

> We now have
> many dozens of root servers, scattered all over the world, and if the
> traffic rises, we can easily make more by linear replication.  DNS
> *scales*, which is why we're still using it, relatively unchanged,
> after more than 30 years.

Some (e.g. DJB, and I am inclined to take him seriously), are quite
concerned about amplification issues with DNSSEC. Packet size does matter.

> RSA was the obvious choice because it was (and is) believed that if
> you can break it, you can factor large numbers (which mathematicians
> have been trying to do for hundreds of years).  No other algorithm
> available at the time came with such a high pedigree.  As far as I
> know, none still does.

Well, most of the hundreds of years don't really matter, modern number
theory starts with Gauss in ~1800, and the study of elliptic curves begins
in the same century (also Group theory, complex analysis, ...).  It is
not clear that the pedigree of RSA is much stronger than that for ECC.

> The DNSSEC RSA RFC says:
>      For interoperability, the RSA key size is limited to 4096 bits.  For
>    particularly critical applications, implementors are encouraged to
>    consider the range of available algorithms and key sizes.

Perhaps believed sufficiently secure, but insanely large for DNS over UDP.
Packet size does matter.

> If this crypto community was serious about resistance to RSA key
> factoring, the most popular key generation software would be picking
> key sizes *at random* within a wide range beyond the number of bits
> demanded for application security. 

There is no incentive to use keys smaller than the top of the range. An
algorithm that cracks k-bit RSA keys, will crack all keys with n<k bits.

> That way, there'd be no "sweet spots" at 1024 or 2048. 

There is no sweet spot. These sizes are believed to approximately match
80-bit, 112-bit, 128-bit ... sizes for symmetric keys (for RSA 1024,
2048, and 3072).

Why should one bother with a random size between 1024 and 2048, if
everyone supports 2048, and 2048-bit signatures are practical in the
context of the given protocol?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to