On Tue, Feb 21, 2012 at 7:04 PM, Ben Laurie <b...@links.org> wrote: > On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd <d...@csl.sri.com> wrote: >> On 02/19/2012 07:36 PM, anthony berglas wrote: >>> >>> Exactly. So you need about 112 bits of "entropy" / Pass Phrase to >>> generate a good 2048 bit key. Remember that the vast majority of 2048 >>> bit numbers are not valid key pairs. >>> >>> My question is, has this been done, or would it be easy to do given >>> the existing structure. >> >> >> No, this is NOT true. While it is the case that a good 2048 bit RSA key >> gives you only about 112 bits of security, its not at all clear that you >> can generate such a good key from less than 2048 bits of entropy. >> >> Indeed, from the recently published Lenstra/Hughes attack, its clear >> that using 112 bits of entropy to generate an RSA key (of any length) >> cannot possibly give you more that 56 bits of security, and probably >> far less. > > Surely not. What is the attack, given my 112 bits of entropy and my > single RSA key generated from it, that reduces security down to 56 > bits? > > An upper bound for the amount of entropy used by the colliding devices > could be derived, though. Very crudely, 2.3% of self-signed certs were > colliding. So, it takes about 44 certs to produce a collision, so the > total entropy is ~44^2 = ~2^11. > > In fact, I'm sure the pool for potential collisions is actually > smaller, so we can be reasonably confident the devices had > significantly less than 11 bits of entropy.
Sigh. Sorry, this is not an upper bound - the 2.3% approximation yields a lower bound. So, bad calculation. I'm sure it can be done better, though! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org