On 10-09-30 11:41 AM, Thor Lancelot Simon wrote: > On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote: >> Thor Lancelot Simon writes: >> >>> a significant net loss of security, since the huge increase in computation >>> required will delay or prevent the deployment of "SSL everywhere". >> >> That would only happen if we (as security experts) allowed web developers to >> believe that the speed of RSA is the limiting factor for web application >> performance. > > At 1024 bits, it is not. But you are looking at a factor of *9* increase > in computational cost when you go immediately to 2048 bits. At that point, > the bottleneck for many applications shifts, particularly those which are > served by offload engines specifically to move the bottleneck so it's not > RSA in the first place.
It sounds like a good time to switch to 224-bit ECC. You could even use 256-bit ECC, which is comparable to 3072-bit RSA (according to the table on page 5 of the SEC 2 document). -James
signature.asc
Description: OpenPGP digital signature