On Aug 16, 2010, at 9:19 49PM, John Gilmore wrote: >> who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks? > > "Enemy"? We don't have to be the enemy for someone to crack our > security. We merely have to be in the way of something they want; > or to be a convenient tool or foil in executing a strategy. >
John, as you yourself have said, "cryptography is a matter of economics". Other than a few academics, people don't factor large numbers for fun; rather, they want the plaintext or the ability to forge signatures. Is factoring the best way to do that? Your own numbers suggest that it is not. You wrote "After they've built 50, which perhaps only take six months to crack a key, will YOUR key be one of the 100 keys that they crack this year?" 100 keys, perhaps multiplied by 10 for the number of countries that will share the effort, means 1000 keys/year. How many *banks* have SSL keys? If you want to attack one of those banks, which is *cheaper*, getting time on a rare factoring machine, or finding some other way in, such as hacking an endpoint? For that matter, don't forget Morris' "three Bs: burglary, bribery, and blackmail". (Aside: I was once discussing TWIRL with someone who has ties to the classified community. When I quoted solution speeds of the we're discussing, he chortled, saying that the political fight over whose solutions were more valuable would paralyze things.) If the threat is factoring, there are cheaper defenses than going to 1024-bit keys. For example, every one under a given CA can issue themselves subcertificates. For communication keys, use D-H; it's a separate solution effort for each session. (Yes, it's cheaper if the modulus is held constant.) Cracking the signing key won't do any good, because of perfect forward secrecy. You don't need long keys when they're used solely for short-lived authentication -- DNSSEC comes to mind. Now -- all that said, I agree that 2048-bit keys are a safer choice. However, defenders have to consider economics, too, and depending on what they're protecting it may not be a smart choice. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
