[ISN] 1024-bit encryption is 'compromised'

R. A. Hettinga rah at shipwright.com
Wed Mar 27 07:41:22 EST 2002 

I like what they said the whole focus of the Financial Cryptography
conference was...

;-).

Cheers,
RAH

--- begin forwarded text


Status:  U
Date: Wed, 27 Mar 2002 03:37:25 -0600 (CST)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] 1024-bit encryption is 'compromised'
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>

http://www.vnunet.com/News/1130451

By James Middleton
[26-03-2002]

Upgrade to 2048-bit, says crypto expert

According to a security debate sparked off by cryptography expert
Lucky Green on Bugtraq yesterday, 1,024-bit RSA encryption should be
"considered compromised".

The Financial Cryptography conference earlier this month, which
largely focused on a paper published by cryptographer Dan Bernstein
last October detailing integer factoring methodologies, revealed
"significant practical security implications impacting the
overwhelming majority of deployed systems utilising RSA as the public
key algorithm".

Based on Bernstein's proposed architecture, a panel of experts
estimated that a 1,024-bit RSA factoring device can be built using
only commercially available technology for a price range of several
hundred million to $1bn.

These costs would be significantly lowered with the use of a chip fab.
As the panel pointed out: "It is a matter of public record that the
National Security Agency [NSA] as well as the Chinese, Russian, French
and many other intelligence agencies all operate their own fabs."

And as for the prohibitively high price tag, Green warned that we
should keep in mind that the National Reconnaissance Office regularly
launches Signal Intelligence satellites costing close to $2bn each.

"Would the NSA have built a device at less than half the cost of one
of its satellites to be able to decipher the interception data
obtained via many such satellites? The NSA would have to be derelict
of duty to not have done so," he said.

The machine proposed by Bernstein would be able to break a 1,024-bit
key in seconds to minutes. But the security implications of the
practical 'breakability' of such a key run far deeper.

None of the commonly deployed systems, such as HTTPS, SSH, IPSec,
S/MIME and PGP, use keys stronger than 1,024-bit, and you would be
hard pushed to find vendors offering support for any more than this.

What this means, according to Green, is that "an opponent capable of
breaking all of the above will have access to virtually any corporate
or private communications and services that are connected to the
internet".

"The most sensible recommendation in response to these findings at
this time is to upgrade your security infrastructure to utilise
2,048-bit user keys at the next convenient opportunity," he advised.

But a comment from well known cryptographer Bruce Schneier casts doubt
on Bernstein's findings in practical application.

"It will be years before anyone knows exactly whether, and how, this
work will affect the actual factoring of practical numbers," he said.

But Green, much to the clamour of "overreaction" from the Slashdot
community, added: "In light of the above, I reluctantly revoked all my
personal 1,024-bit PGP keys and the large web-of-trust that these keys
have acquired over time. The keys should be considered compromised."

Whatever the practical security implications, one sharp-witted
Slashdot reader pointed out: "Security is about risk management. If
you have something to protect that's worth $1bn for someone to steal,
and the only protection you have on it is 1,024-bit crypto, you
deserve to have it stolen."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the BODY
of the mail.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA

The IBUC Symposium on Geodesic Capital
April 3-4, 2002, The Downtown Harvard Club, Boston
<mailto: rah at ibuc.com> for details...

"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list