Possibly questionable security decisions in DNS root management
Perry E. Metzger
perry at piermont.com
Wed Oct 14 19:54:36 EDT 2009
bmanning at vacation.karoshi.com writes:
> er... there is the root key and there is the ROOT KEY.
> the zsk only has a 90 day validity period. ... meets the
> "spec" and -ought- to be good enough. that said, it is
> currently a -proposal- and if credible arguments can be made
> to modify the proposal, I'm persuaded that VSGN will do so.
Well, you might look at Ekr's argument, which I largely agree with. I
think the two key observations are that 1024 bit keys are already
considered iffy, large (perhaps hundreds of millions of dollars or even
more) may be thrown by opponents at this particular key, and that
technology for factoring will only get better. Given the sums that could
be spent, very specialized hardware could be built -- far more
specialized than ordinary PCs on which the problem doesn't scale that
well in its most expensive steps.
Security is usually not limited by cryptography in the modern
world. Crypto systems are usually far stronger than opponents will to
spend, and bugs are the more obvious way to attack things. However, if
you're talking about a really high value target and "weak enough"
crypto, the economics change, and with them so does everything else.
Crypto being a potential weak spot is an exceptionally rare situation,
but the DNS root key is insanely high value.
We should also recognize that in cryptography, a small integer safety
margin isn't good enough. If one estimates that a powerful opponent
could attack a 1024 bit RSA key in, say, two years, that's not even a
factor of 10 over 90 days, and people spending lots of money have a good
record of squeezing out factors of 10 here and there. Finding an
exponential speedup in an algorithm is not something one can do, but
figuring out a process trick to remove a small constant is entirely
possible.
Meanwhile, of course, the 1024 bit "short term" keying system may end up
staying in place far longer than we imagine -- things like this often
roll out and stay in place for a decade or two even when we imagine we
can get rid of them quickly. Do we really believe we won't be able to
attack a 1024 bit key with a sufficiently large budget even in 10 years?
Again, normally, crypto isn't where you attack an opponent, but in this
case, I'd suggest that key length might not be a silly thing to worry
about.
There are enough people here with the right expertise. I'd be interested
in hearing what people think could be done with a fully custom hardware
design and a budget in the hundreds of millions of dollars or more.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list