Re: RSA modulus record

[Thierry Moreau]

Weger, B.M.M. de wrote:


Hi,

There's a new biggest known RSA modulus.
It is (in hexadecimal notation):

FF...(total of 9289166 F's)...FFDFF...(total of 1488985
F's)...FF800...(total of 9289165 0's)...001

It is guaranteed to be the product of two different large primes, 
and it has more than 80 million bits. Impressive security...




But it is trivially factored as (2^43112609-1) * (2^37156667-1)

Factorization based modulus need to be drawn from a pool of numbers 
without special properties, so that their factorization is not 
facilitated by special-purpose algorithms. There is ample academic work 
aiming to refine without special properties, and there is also ample 
(debated) academic work which assumes that without special property is 
a reasonable assumption in practice.


The fun part is to reconcile theory and practice, e.g. a decade of RSA 
industrial application before retrofitting the probabilistic property in 
RSA, while probabilistic cryptosystems has been around in academic work 
amost since the early days of published work on PK crypto.


Regards,


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: RSA modulus record

[Joseph Ashwood]

- Original Message - 
From: Victor Duchovni [EMAIL PROTECTED]

To: cryptography@metzdowd.com
Sent: Tuesday, September 16, 2008 2:08 PM
Subject: Re: RSA modulus record



On Tue, Sep 16, 2008 at 09:01:51PM +0200, Weger, B.M.M. de wrote:


There's a new biggest known RSA modulus.
It is (in hexadecimal notation):

FF...(total of 9289166 F's)...FFDFF...(total of 1488985
F's)...FF800...(total of 9289165 0's)...001

It is guaranteed to be the product of two different large primes,


Are the primes actually known, or just guaranteed to exist?


and it has more than 80 million bits. Impressive security...


In what sense is this impressive security?



I have to agree that it is impressive, in the same way that having a 
nickname Tripod is impressive. Doesn't actually mean much in terms of 
reality neither is all that useful, or realistic for actual use.
   Joe 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: once more, with feeling.

[Dirk-Willem van Gulik]

 ... discussion on CA/cert acceptance hurdles in the UI 

I am just wondering if we need a dose of PGP-style reality here.

We're really seeing 3 or 4 levels of SSL/TLS happening here - and whilst
they all appear use the same technology - the assurances, UI,  
operational

regimen, 'investment' and user expectations are way different:

A)  Symbolic Locks (think bicycle locks in Amsterdam, or the little
plastic luggage locks people use) - just a bit of reassurance
that snooping is not trivial.

= so you'd just want your browser to indicate something about
SSL, just like you causally mention mime-type or port-number.

B)  Some sort of assurance that you are talking to whom you think you
are talking to - and that such is the case next time round. And
in a grown up sort of way - but no need to go the investment
to have some paid minder reassuring you that there is no
monster under the bed. E.g. some privacy, say on an online forum.

= so in this case you'd probably want a near friction less
or perhaps even invisible initial persistent accept and
some sort of low-key warning if the cert or chain changed
over time beyond some range.

C)  Fair assurance that you are talking with whom you think
you are talking to - is really that entity - and some
trust. E.g. the canonical credit card payment case.

= behaviour as we have today.

D)  Proper TLS; where both each end of the connection has a well
defined idea of the reliability. E.g. the authenticate
properly with an x509 to a server with a cert against
an explicit list of CA's which are carefully selected
by the 'powers that be' and with full CRLs.

Unfortunately there is currently no way for the server to indicate any
of this; or the user to indicate what his or her expectations are.

So my take is that it is pretty much impossible to get the UI to do
the right thing - until it has this information* - and even then
you have a fair chunk of education left to do :).

But without it - the entire discussion is moot.

As to technical options to accomplish this - it would not be hard
to *_socialise_* a few small technical hints: i.e if it is a
straight  self-signed server, certificate, with minimal data - assume
A; case C is easy; and in case 'D' one would care enough to have
a proper set-up.

That just leaves case B - and distinguishing it from a failed C.  And
that is hard. Especially as a messy B should not compromise a C.

So I guess that needs some very clear marker from the site owner. Which
could be as simple as insisting on things like an funky DN, a CN with
the FQDN set to something like 'ad-hoc', a concept that a certificate
with just a CN, but no other O, OU, L or C fields.

And obviously one could try to boil the ocean; write a small RFC
detailing some OID to put in the certificate for case A  B :) - and
include the fewlines of openssl in the document to make your own
'B' certificate.

Key would not be the technical aspect - but socialising it with enough
webmaster folks** that there is enough of a mass to tempt them
browser boys. And that is the going to be the very hard part :)


Dw

*)  I strongly think that the current plug-ins which check if a
certificates fingerprint is the same from multiple vantage
points around the internet is really quite orthogonal to this
issue. So no solace there.

**) And capitalise on the fact that they need to recreate their  
certificates

as most folks seem to stick to the default 365 days.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]