307 digit number factored

[Perry E. Metzger]

pgut001 at cs.auckland.ac.nz (Peter Gutmann) writes:
> I would go further and say that for most applications of PKCs/PKI
> today, 1024- bit RSA keys are not a risk at all, or more
> specifically that on a scale of risk they're so far down the list
> that they're close to negligible.  As numerous security HCI studies
> have shown, user comprehension of PKI is close to zero percent,
> which means that the security effectiveness of the same is also
> close to zero.

Although I agree that key cracking is not a threat we should concern
ourselves with by a long shot, that does not mean that changing to
larger keys is not cost effective. This is because larger keys are
essentially free -- it costs no more (for most applications) to
generate a 2048 bit key than a 1024 bit key, so there is no incentive
not to. However, I violently agree that no one should be under the
illusion that longer keys will protect them from the most realistic
security threats. (For those applications where longer keys actually
will cost significantly and the value of the keys is low, the
calculation changes and there is little or no reason to upgrade.)

> As the multi-billion dollar phishing industry has
> ably demonstrated, the bad guys are more than aware of this too.  So
> going from x- bit RSA to y-bit RSA on a component with close to
> zero-percent effectiveness is... well, I'll let you do the maths.

https with X.509 certs is not the only application of RSA keys, of
course. There are a significant number of applications where the keys
actually do work reasonably effectively, and the real threat is not
phishing but code bugs. Still, in spite of the fact that no one is,
say, formally validating openssh, it costs nothing to request a 2048
bit key instead of a 1024 bit key, and I'm not sure it is a bad idea
to do that on an opportunistic basis.

Even for https, it costs no more to type in "2048" than "1024" into
your cert generation app the next time a cert expires. The only
potential cost is if you're so close to the performance line that
slower RSA ops will cause you pain -- otherwise, it is pretty much
costless. For average people's web servers most of the time,
connections are sufficiently infrequent and RSA operations are "fast
enough" that it makes no observable difference.

> Until the hundred other constituent parts required to secure
> something like web browsing are fixed, changing the key size is just
> pointless posturing, since it's not fixing anything that anyone is
> attacking.  Once all the other bits are fixed and working as
> intended, then we can go back to debating whether length is more
> important than width in key sizes.

I'm not sure I entirely buy the argument. Certainly there are other
far more (overwhelmingly more) important issues, and certainly a steel
door helps little in a tissue paper wall, but that is no reason to let
the door slowly rust away while you rebuild the wall, especially if
protecting it from rust is literally effortless.

At the same time, I'll agree that reading this argument is itself
probably more expensive than the benefit longer key length is likely
to provide someone in the near future.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com