Ray Dillinger <b...@sonic.net> writes:
>On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:
>> The big drawback is that those who want to follow NIST's recommendations
>> to migrate to 2048-bit keys will be returning to the 2005-era overhead.
>> Either way, that's back in line with the above stated 90-95% overhead.
>> Meaning, in Dan's words "2048 ain't happening."
>I'm under the impression that <2048 keys are now insecure mostly due to
>advances in factoring algorithms 

Insecure against what?  Given the million [0] easier attack vectors against
web sites, which typically range from "trivial" all the way up to "relatively
easy", why would any rational attacker bother with factoring even a 1024-bit
key, with a difficulty level of "quite hard"?  It's not as if these keys have
to remain secure for decades, since the 12-month CA billing cycle means that
you have to refresh them every year anyway.  Given both the state of PKI and
the practical nonexistence of attacks on crypto of any strength because it's
not worth the bother, would the attackers even notice if you used a 32-bit RSA
key?  How would an adversary effectively scale and monetise an attack based on
being able to break an RSA key, even if it was at close to zero cost?

The unfortunate effect of such fashion-statement crypto recommendations as
"you must use 2K bit keys, regardless of the threat environment" is that what
it actually says is "you must not use SSL on your web site".  "Le mieux est
l'ennemi du bien" strikes again.


[0] Figure exaggerated slightly for effect.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to