On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote: > On 10-07-2010 20:13, Jeffrey Walton wrote: >>> The general approach is to encrypt data using a symmetric cipher (e.g., >>> AES-256) with a randomly-generated key, and then encrypt that symmetric >>> key >>> with the RSA (public) key. >> AES-256 requires a RSA modulus with an equivalent strength, which is a >> 15360 (IIRC). If you choose RSA-1024 or RSA-2048, you are off by >> orders of magnitude. >> > > Are you sure about those numbers? I know that proponents of ECC > cryptography have been roundly criticized for putting forward those > specific numbers and for talking NIST into repeating them in their > official publications.
AES 256 does not "require" an RSA key that has an equal cost to brute-force. However, the numbers are based on estimates from best known attack algorithms, and these estimate 2n-bit ECC at n-bit symmetric, while for RSA the bit length is non-linear in the "equivalent" symmetric key size, and matching 256-bit AES is unrealistic. Not too many advocate AES 256 + ~512 bit ECC either. Instead, NSA Suite-B for example, one sees "balanced" combinations like AES-128 + ECC-256 or AES-192 + ECC-384. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org