On Aug 15, 2010, at 1:17 30PM, Peter Gutmann wrote: > Ray Dillinger <b...@sonic.net> writes: >> On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote: >> >>> The big drawback is that those who want to follow NIST's recommendations >>> to migrate to 2048-bit keys will be returning to the 2005-era overhead. >>> Either way, that's back in line with the above stated 90-95% overhead. >>> Meaning, in Dan's words "2048 ain't happening." >> >> I'm under the impression that <2048 keys are now insecure mostly due to >> advances in factoring algorithms > > Insecure against what?
Right -- who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks? > Given the million [0] easier attack vectors against > web sites, which typically range from "trivial" all the way up to "relatively > easy", why would any rational attacker bother with factoring even a 1024-bit > key, with a difficulty level of "quite hard"? It's not as if these keys have > to remain secure for decades, since the 12-month CA billing cycle means that > you have to refresh them every year anyway. That depends on what you're protecting. If it's the 4-digit PIN to billion-zorkmid bank accounts, they key needs to remain secure for many years, given how seldom PINs are changed. > Given both the state of PKI and > the practical nonexistence of attacks on crypto of any strength because it's > not worth the bother, would the attackers even notice if you used a 32-bit RSA > key? How would an adversary effectively scale and monetise an attack based on > being able to break an RSA key, even if it was at close to zero cost? > > The unfortunate effect of such fashion-statement crypto recommendations as > "you must use 2K bit keys, regardless of the threat environment" is that what > it actually says is "you must not use SSL on your web site". "Le mieux est > l'ennemi du bien" strikes again. > > Yup. > > [0] Figure exaggerated slightly for effect. But only slightly exaggerated... --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com