On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd <d...@csl.sri.com> wrote: > On 02/19/2012 07:36 PM, anthony berglas wrote: >> >> Exactly. So you need about 112 bits of "entropy" / Pass Phrase to >> generate a good 2048 bit key. Remember that the vast majority of 2048 >> bit numbers are not valid key pairs. >> >> My question is, has this been done, or would it be easy to do given >> the existing structure. > > > No, this is NOT true. While it is the case that a good 2048 bit RSA key > gives you only about 112 bits of security, its not at all clear that you > can generate such a good key from less than 2048 bits of entropy. > > Indeed, from the recently published Lenstra/Hughes attack, its clear > that using 112 bits of entropy to generate an RSA key (of any length) > cannot possibly give you more that 56 bits of security, and probably > far less.
Surely not. What is the attack, given my 112 bits of entropy and my single RSA key generated from it, that reduces security down to 56 bits? An upper bound for the amount of entropy used by the colliding devices could be derived, though. Very crudely, 2.3% of self-signed certs were colliding. So, it takes about 44 certs to produce a collision, so the total entropy is ~44^2 = ~2^11. In fact, I'm sure the pool for potential collisions is actually smaller, so we can be reasonably confident the devices had significantly less than 11 bits of entropy. That seems like a curable problem!!! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
