On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote:
> On 10-07-2010 20:13, Jeffrey Walton wrote:
>>> The general approach is to encrypt data using a symmetric cipher (e.g.,
>>> AES-256) with a randomly-generated key, and then encrypt that symmetric
>>> key
>>> with the RSA (public) key.
>> AES-256 requires a RSA modulus with an equivalent strength, which is a
>> 15360 (IIRC). If you choose RSA-1024 or RSA-2048, you are off by
>> orders of magnitude.
>>
>
> Are you sure about those numbers? I know that proponents of ECC
> cryptography have been roundly criticized for putting forward those
> specific numbers and for talking NIST into repeating them in their
> official publications.
AES 256 does not "require" an RSA key that has an equal cost to
brute-force. However, the numbers are based on estimates from best
known attack algorithms, and these estimate 2n-bit ECC at n-bit
symmetric, while for RSA the bit length is non-linear in the
"equivalent" symmetric key size, and matching 256-bit AES is
unrealistic.
Not too many advocate AES 256 + ~512 bit ECC either. Instead, NSA
Suite-B for example, one sees "balanced" combinations like AES-128 + ECC-256
or AES-192 + ECC-384.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
