Re: The time to stop considering 1024 bit as secure is now !
Kaspersky still now not able to break 1024 bit key, they highest bit size they claimed to break is 660. samrat On Wed, Jun 11, 2008 at 2:01 PM, Jean-Marc Desperrier [EMAIL PROTECTED] wrote: Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus http://www.kaspersky.com/news?id=207575651 If Kaspersky has made the analyze, and breaking a 1024 bit key is reasonnably within reach of a distributed effort, that means nobody should be using a 1024 key today for really important security. Gulp :-( ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Jean-Marc Desperrier: Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus http://www.kaspersky.com/news?id=207575651 If Kaspersky has made the analyze, and breaking a 1024 bit key is reasonnably within reach of a distributed effort, that means nobody should be using a 1024 key today for really important security. LOL, the Virus authors have been using Debian for creating the keys :-) However more interesting is this reference: Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Kaspersky Lab virus researchers have to date been able to crack keys up to 660 bits. Paul, perhaps that's the one I saw, however some details would be obviously better... Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Eddy Nigg (StartCom Ltd.) wrote: [...] However more interesting is this reference: No, that is not more interesting. It's been known for a year or two that keys around 600 bits were broken, and it was therefore already quite obvious that 768 wasn't safe today. But *only* 15000 computers and *only* one year to break a key size that a large number of actually really important keys use is much bigger news. If I need to be excruciatingly clear, what's to stop a pirate of using one of the larger botnet currently in existence to distributively break one of those keys ? Even if any one slave will not be constantly working on it or not be as powerful as the machines Kapersky takes in it's calculation, some of those botnets have up to 1.5 million machines: http://www.vnunet.com/vnunet/news/2144375/botnet-operation-ruled-million How much money is Verisign's 1024 bits Class 3 Public Primary Certification Authority worth for pirates ? Don't you think a lot ? I'd frankly much prefer to hear that Kapersky have their math wrong by one or two factors. But I'll take very seriously an annonce by someone who already has broken a 660 bits key, and not assume it's the case. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Jean-Marc Desperrier wrote: Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus http://www.kaspersky.com/news?id=207575651 That seems pointless to me. If they crack it after a few months, the virus author will just generate a new key and release the virus again. If Kaspersky has made the analyze, and breaking a 1024 bit key is reasonnably within reach of a distributed effort, that means nobody should be using a 1024 key today for really important security. I would be interested in estimates of how much processor time they consider this will need. Gerv ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Eddy Nigg (StartCom Ltd.) wrote: Jean-Marc Desperrier: Eddy Nigg (StartCom Ltd.) wrote: [...] However more interesting is this reference: No, that is not more interesting. It's been known for a year or two that keys around 600 bits were broken, and it was therefore already quite obvious that 768 wasn't safe today. Well, that's what I knew and what I have been stating not so long ago on this list, but I couldn't refer to any reference, even now, it's not quite clear. I'd like to see some more details - do you have any? Well I don't know why neither you nor Paul found it, maybe because you searched for exactly 650 bits, it should take only seconds to find references to the factorisation of RSA-640 and of RSA-200 (a 200 digits number that is in fact 663 bits long). http://www.rsa.com/rsalabs/node.asp?id=2879 http://www.loria.fr/%7Ezimmerma/records/factor.html Also I'd need to search for more reference, but I've been reading that the factorisation of the 2^1039-1 Mersenne number http://eprint.iacr.org/2007/205 is computationally equivalent to factoring an ordinary 700 bit number. In fact, it's right there in the publication : http://eprint.iacr.org/2007/205.pdf 7 Discussion [...] We estimate that the effort we spent would suffice to factor a 700-bit RSA modulus. [...] Yes, I have this also stated already, but Paul Hoffman had a counter argument concerning some needed 128 GB memory available per machine. It's only the final step that requires a lot of memory. In practice, the laboratories that broke the above keys managed to get it, one should not rely too much on that. How much money is Verisign's 1024 bitsClass 3 Public Primary Certification Authority worth for pirates ? Don't you think a lot ? Not really and we have exactly this been discussion here (see previous threads). One of the suggestions was to have 1024 bit keys removed by 2012, maybe 2013. In any case I think we should act on it and include this requirement into the Mozilla CA policy. After reading this : http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=9504 and this http://forum.kaspersky.com/index.php?showtopic=71734 I'm now beginning to realize Kapersky might be much less concretely believing they can actually factore that key that I initially thought, but still 2012/2013 might be too late for the transition. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Jean-Marc Desperrier: Well I don't know why neither you nor Paul found it, maybe because you searched for exactly 650 bits, it should take only seconds to find references to the factorisation of RSA-640 and of RSA-200 (a 200 digits number that is in fact 663 bits long). http://www.rsa.com/rsalabs/node.asp?id=2879 http://www.loria.fr/%7Ezimmerma/records/factor.html Thanks, those are the ones I meant. Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
At 3:01 PM +0200 6/11/08, Jean-Marc Desperrier wrote: I might have reacted a bit too strongly on this news. +1 At 2:56 PM +0200 6/11/08, Jean-Marc Desperrier wrote: Also I'd need to search for more reference, but I've been reading that the factorisation of the 2^1039-1 Mersenne number http://eprint.iacr.org/2007/205 is computationally equivalent to factoring an ordinary 700 bit number. ...is *estimated* to be computationally equivalent. Read that part of the paper carefully. The authors are very careful people, and they said exactly what they meant. Until the authors (or someone using their methods) do an actual factorization in the range of 700-800 bits, we won't know how good their estimate is. The estimates in RFC 3766 change with each additional data point. Silverman could be right and the second step in factoring a 1024-bit number is essentially impossible; he could be wrong and it is tractable; he could be right for current methods and someone could come up with a better method. Certainly, the group who wrote the paper above are working on new methods, and might continue to do so in the future. Note, however, that they seem to be about the only group who is publishing any results from their efforts. That could either mean they are the only group working on it, or that other groups working on it are not getting publishable results. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
Paul Hoffman wrote: Note, however, that they seem to be about the only group who is publishing any results from their efforts. That could either mean they are the only group working on it, or that other groups working on it are not getting publishable results. Or 3. that other groups working on it do not want to publish their results... Ciao, Michael. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: The time to stop considering 1024 bit as secure is now !
We've actually had a discussion on this topic very recently. My understanding of what we've learned from that discussion (feel free to chime in if I'm not understanding properly): 1) The NIST (a US organization) states that after December 31, 2010, nobody should be using 1024-bit RSA keys to protect information. http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf 2) There needs to be a mechanism to enforce this in NSS; the PKCS#11 validity period information provides a location to set such (since PKCS#11 states that it is up to the application to set this equal to the validity period of the underlying certificate or leave it unset). 3) Mozilla needs to change policy such that new 1024-bit root requests are denied, since they won't be valid for more than a few months even if they're approved. (If it takes an average of 12 months to evaluate a CA, then it'll be at least July 2009 before they're approved for inclusion, and thus won't be able to be valid (given #1) for more than 17 months regardless. -Kyle H On Wed, Jun 11, 2008 at 1:31 AM, Jean-Marc Desperrier [EMAIL PROTECTED] wrote: Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus http://www.kaspersky.com/news?id=207575651 If Kaspersky has made the analyze, and breaking a 1024 bit key is reasonnably within reach of a distributed effort, that means nobody should be using a 1024 key today for really important security. Gulp :-( ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto