On 12-07-2010 16:54, Victor Duchovni wrote:
On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote:
On 10-07-2010 20:13, Jeffrey Walton wrote:
The general approach is to encrypt data using a symmetric cipher (e.g.,
AES-256) with a randomly-generated key, and then encrypt that symmetric
key
with the RSA (public) key.
AES-256 requires a RSA modulus with an equivalent strength, which is a
15360 (IIRC). If you choose RSA-1024 or RSA-2048, you are off by
orders of magnitude.
Are you sure about those numbers? I know that proponents of ECC
cryptography have been roundly criticized for putting forward those
specific numbers and for talking NIST into repeating them in their
official publications.
AES 256 does not "require" an RSA key that has an equal cost to
brute-force. However, the numbers are based on estimates from best
known attack algorithms, and these estimate 2n-bit ECC at n-bit
symmetric, while for RSA the bit length is non-linear in the
"equivalent" symmetric key size, and matching 256-bit AES is
unrealistic.
That was not my question. My question was about the actual numeric
values in that non-linear mapping from symmetric key sizes to RSA
modulus sizes. A few years ago there was public controversy about
what RSA key lengths correspond to 256 bit symmetric keys length.
Some said 15360 bits, some said less. NIST republished 15360 in some of
their documents without giving a reason.
Not too many advocate AES 256 + ~512 bit ECC either. Instead, NSA
Suite-B for example, one sees "balanced" combinations like AES-128 + ECC-256
or AES-192 + ECC-384.
The absence of NIST's ECC-512 curve from the Suite B lists is
mysterious at best.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
