On Aug 15, 2010, at 1:17 30PM, Peter Gutmann wrote:

> Ray Dillinger <b...@sonic.net> writes:
>> On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:
>>> The big drawback is that those who want to follow NIST's recommendations
>>> to migrate to 2048-bit keys will be returning to the 2005-era overhead.
>>> Either way, that's back in line with the above stated 90-95% overhead.
>>> Meaning, in Dan's words "2048 ain't happening."
>> I'm under the impression that <2048 keys are now insecure mostly due to
>> advances in factoring algorithms 
> Insecure against what?

Right -- who's your enemy?  The NSA?  The SVR?  Or garden-variety cybercrooks?

>  Given the million [0] easier attack vectors against
> web sites, which typically range from "trivial" all the way up to "relatively
> easy", why would any rational attacker bother with factoring even a 1024-bit
> key, with a difficulty level of "quite hard"?  It's not as if these keys have
> to remain secure for decades, since the 12-month CA billing cycle means that
> you have to refresh them every year anyway.

That depends on what you're protecting.  If it's the 4-digit PIN to 
billion-zorkmid bank accounts, they key needs to remain secure for many years, 
given how seldom PINs are changed.

>  Given both the state of PKI and
> the practical nonexistence of attacks on crypto of any strength because it's
> not worth the bother, would the attackers even notice if you used a 32-bit RSA
> key?  How would an adversary effectively scale and monetise an attack based on
> being able to break an RSA key, even if it was at close to zero cost?
> The unfortunate effect of such fashion-statement crypto recommendations as
> "you must use 2K bit keys, regardless of the threat environment" is that what
> it actually says is "you must not use SSL on your web site".  "Le mieux est
> l'ennemi du bien" strikes again.
> [0] Figure exaggerated slightly for effect.

But only slightly exaggerated...

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to