[Cryptography] Encryption opinion
Steve Weis
steveweis at gmail.com
Sun Aug 17 15:13:12 EDT 2014
On Sun, Aug 17, 2014 at 5:29 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
>
> >b. RSA 1024 is considered a weak length these days. But it still
depends on
> >"against whom?"
>
> It's the old "what's your threat model" again. RSA-512 is still in active
> use, and in many situations it's perfectly secure. Consider one real-life
The goTenna use case is a consumer-targeted antenna device. My concern is
that the responses in this thread are primarily focused on key length and
algorithms, and do not address any of the more realistic threats you'd see
against a consumer hardware device. Just saying "we use RSA-2048" or
"AES-256" is a red flag.
Regardless, RSA-512 is easily factorable by an individual. For example,
Zachary Harris factored Google's RSA-512 DKIM key for fun two years ago,
which precipitated major sites upgrading their DKIM keys:
http://www.wired.com/2012/10/dkim-vulnerability-widespread/all/
Secondly, the use case isn't even feasible with the settings goTenna
describes. The original message in this thread says "we felt like 1024RSA
for a 160 character text message...". A SMS message with 160 7-bit
characters will not even fit in an unpadded RSA-1024 payload, much less
with proper padding or in a smaller ECC payload.
It's also unclear whether they're talking about using unpadded raw RSA to
encrypt SMS messages. Unpadded RSA is deterministic, not semantically
secure, and implementations are often vulnerable to message recovery
attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140817/81df8d16/attachment.html>
More information about the cryptography
mailing list