1024-bit RSA keys in danger of compromise

Len Sassaman rabbi at quickie.net
Mon Mar 25 20:53:30 EST 2002 

I've posted my thoughts about Bernstein's paper to the NANOG list, so I
won't recap them here. I do want to make one point that people seem to be
ignoring, however, and it has to do with the section of Lucky's message
that I have quoted below.

There are several significant applications in wide-spread use currently
that do not have any mechanism for the user or administrator to specify a
minimum public key algorithm bit size.

Additionally, Verisign appears to not have a policy against signing
ridiculously small RSA keys -- I've been told that they signed a 384 bit
key in the past year. If you're interested, buy the Netcraft SSL survey
results and see how many 512 bit RSA keys are being used now.

On the client side, Internet browsers should have a mechanism for
specifying the minimum key size that a user is willing to accept to secure
his TLS/SSL connection. Not offering this as a standard feature, with sane
defaults, is downright negligent. Both Netscape/Mozilla and Microsoft
appear guilty of this.

Likewise, I cannot find any way of configuring sshd (in any version of
SSH/OpenSSH server software) to deny users' public key based
authentication based on insufficient key size. Either I have to turn off
public key authentication and rely on passwords, or allow users to use
factorable keys. This needs to be fixed, immediately, and documented
properly.

The feasibility of factoring 1024 bit keys, while a very serious issue that
needs to be examined, seems almost irrelevant if software users cannot
specify a lower limit on public key bit sizes in their applications.


--Len.

On Sat, 23 Mar 2002, Lucky Green wrote:

> Coincidentally, the day before the panel, Nicko van Someren announced at
> the FC02 rump session that his team had built software which can factor
> 512-bit RSA keys in 6 weeks using only hardware they already had in the
> office.
>
> A very interesting result, indeed. (While 512-bit keys had been broken
> before, the feasibility of factoring 512-bit keys on just the computers
> sitting around an office was news at least to me).




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list