Possibly questionable security decisions in DNS root management
Jerry Leichter
leichter at lrw.com
Wed Oct 14 22:43:48 EDT 2009
On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote:
> ...We should also recognize that in cryptography, a small integer
> safety
> margin isn't good enough. If one estimates that a powerful opponent
> could attack a 1024 bit RSA key in, say, two years, that's not even a
> factor of 10 over 90 days, and people spending lots of money have a
> good
> record of squeezing out factors of 10 here and there. Finding an
> exponential speedup in an algorithm is not something one can do, but
> figuring out a process trick to remove a small constant is entirely
> possible.
>
> Meanwhile, of course, the 1024 bit "short term" keying system may
> end up
> staying in place far longer than we imagine -- things like this often
> roll out and stay in place for a decade or two even when we imagine we
> can get rid of them quickly.
As I read it, "short term" refers to the lifetime of the *key*, not
the lifetime of the *system*.
> Do we really believe we won't be able to
> attack a 1024 bit key with a sufficiently large budget even in 10
> years? ...
Currently, the cryptographic cost of an attack is ... 0. How many
attacks have there been? Perhaps the perceived value of owning part
of DNS isn't as great as you think.
If the constraints elsewhere in the system limit the number of bits of
signature you can transfer, you're stuck. Presumably over time you'd
want to go to a more bit-efficient signature scheme, perhaps using
ECC. But as it is, the choice appears to be between (a) continuing
the current completely unprotected system and (b) *finally* rolling
out protection sufficient to block all but very well funded attacks
for a number of years.
Should we let the best be the enemy of the good here?
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list