On 20 Jul 2015, at 23:19, Jonathan Schleifer <[email protected]> wrote:
> Am 21.07.2015 um 00:10 schrieb David Banes <[email protected]>: > >> On 20 Jul 2015, at 23:07, Peter Kieser <[email protected]> wrote: >> >>> On 2015-07-10 2:47 AM, Mathias Ertl wrote: >>>> * Have a valid 4096 bit certificate with at least a sha256 signature. >>> >>> 4096 bit seems a bit excessive. NIST is still recommending 2048 bit from >>> 2011 to 2030. >>> >>> -Peter >> >> I laughed.... > > He's actually right - the difference between 2048 and 4096 isn't that big. > 2048 equals a symmetric cipher of ~ 112 bits, while 4096 equals a symmetric > cipher of ~ 128 bits. If you think about it, it only makes sense: The bigger > the number gets, the fewer primes there are… > > So, 4096 bit RSA just gives you an additional 16 bits for your AES, while > doubling the number of RSA bits more than doubles the computational overhead… > > That's also the reason why there's no point in doing 8192 bit RSA: It wound > be insanely slow for just giving you a few extra bits. IIRC, to match > AES-256, you would need RSA-32768. Have fun calculating that! If you want to > match AES-256, you therefore need to go to 512-bit ECC (for ECC, you need > roughly double the bits than the symmetric cipher). > > -- > Jonathan > If you're serious about stopping someone with greater computational power than you getting at your data then you should take every bit you can. But I agree, most people won't bother because you'd need the computing power available to NIST to compute that. David.
signature.asc
Description: Message signed with OpenPGP using GPGMail
