On Aug 16, 2010, at 9:19 49PM, John Gilmore wrote:

>> who's your enemy?  The NSA?  The SVR?  Or garden-variety cybercrooks?
> "Enemy"?  We don't have to be the enemy for someone to crack our
> security.  We merely have to be in the way of something they want;
> or to be a convenient tool or foil in executing a strategy.

John, as you yourself have said, "cryptography is a matter of economics".  
Other than a few academics, people don't factor large numbers for fun; rather, 
they want the plaintext or the ability to forge signatures.  Is factoring the 
best way to do that?  Your own numbers suggest that it is not.  You wrote 
"After they've built 50, which perhaps only take six months to crack a key, 
will YOUR key be one of the 100 keys that they crack this year?"  100 keys, 
perhaps multiplied by 10 for the number of countries that will share the 
effort, means 1000 keys/year.  How many *banks* have SSL keys?  If you want to 
attack one of those banks, which is *cheaper*, getting time on a rare factoring 
machine, or finding some other way in, such as hacking an endpoint?  For that 
matter, don't forget Morris' "three Bs: burglary, bribery, and blackmail".  
(Aside: I was once discussing TWIRL with someone who has ties to the classified 
community.  When I quoted solution speeds of the we're discussing, he chortled, 
saying that the political fight over whose solutions were more valuable would 
paralyze things.)

If the threat is factoring, there are cheaper defenses than going to 1024-bit 
keys.  For example, every one under a given CA can issue themselves 
subcertificates.  For communication keys, use D-H; it's a separate solution 
effort for each session.  (Yes, it's cheaper if the modulus is held constant.)  
Cracking the signing key won't do any good, because of perfect forward secrecy.

You don't need long keys when they're used solely for short-lived 
authentication -- DNSSEC comes to mind.

Now -- all that said, I agree that 2048-bit keys are a safer choice.  However, 
defenders have to consider economics, too, and depending on what they're 
protecting it may not be a smart choice.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to