Possibly questionable security decisions in DNS root management

Jerry Leichter leichter at lrw.com
Wed Oct 14 22:43:48 EDT 2009 

On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote:
> ...We should also recognize that in cryptography, a small integer  
> safety
> margin isn't good enough. If one estimates that a powerful opponent
> could attack a 1024 bit RSA key in, say, two years, that's not even a
> factor of 10 over 90 days, and people spending lots of money have a  
> good
> record of squeezing out factors of 10 here and there. Finding an
> exponential speedup in an algorithm is not something one can do, but
> figuring out a process trick to remove a small constant is entirely
> possible.
>
> Meanwhile, of course, the 1024 bit "short term" keying system may  
> end up
> staying in place far longer than we imagine -- things like this often
> roll out and stay in place for a decade or two even when we imagine we
> can get rid of them quickly.
As I read it, "short term" refers to the lifetime of the *key*, not  
the lifetime of the *system*.

> Do we really believe we won't be able to
> attack a 1024 bit key with a sufficiently large budget even in 10  
> years? ...
Currently, the cryptographic cost of an attack is ... 0.  How many  
attacks have there been?  Perhaps the perceived value of owning part  
of DNS isn't as great as you think.

If the constraints elsewhere in the system limit the number of bits of  
signature you can transfer, you're stuck.  Presumably over time you'd  
want to go to a more bit-efficient signature scheme, perhaps using  
ECC.  But as it is, the choice appears to be between (a) continuing  
the current completely unprotected system and (b) *finally* rolling  
out protection sufficient to block all but very well funded attacks  
for a number of years.

Should we let the best be the enemy of the good here?

                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list