I seconds Christian's argument: CGA was carefully designed to offer a security of the ownership property higher than you can get from a direct use of the interface ID. Of course this has a cost in CGA generation time (but not verification) at higher SEC values.
Now about 48 bits of a RSA public key I am not a cryptographer nor believe this particular problem was analyzed but obviously the upper bound is 2**48 attempts with changing one of the two private primes and even checking primeness after differential multiply, i.e., a simple addition. I am afraid Christian is right and an attack is feasible in a delay shorter than usage duration (i.e., "weak" in the military crypto definition of this term). About RSA, signing is encryption of the message digest with a prefix so it is the same thing to break private key encryption or signing. About ECC, ECDSA has the interesting property than verifying is slower than signing. This comes from DSA itself, and ECDSA is as far as I know the only standard way to sign with ECC. Regards [email protected] PS: of course I supports Christian's last advice (but you already know that :-). -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
