Possibly questionable security decisions in DNS root management
Jerry Leichter
leichter at lrw.com
Mon Oct 19 22:06:13 EDT 2009
On Oct 17, 2009, at 5:23 AM, John Gilmore wrote:
> Even using keys that have a round number of bits is foolish, in my
> opinion. If you were going to use about 2**11th bits, why not 2240
> bits, or 2320 bits, instead of 2048? Your software already handles
> 2240 bits if it can handle 2048, and it's only a tiny bit slower and
> larger -- but a 2048-bit RSA cracker won't crack your 2240-bit key.
> If this crypto community was serious about resistance to RSA key
> factoring, the most popular key generation software would be picking
> key sizes *at random* within a wide range beyond the number of bits
> demanded for application security. That way, there'd be no "sweet
> spots" at 1024 or 2048. As it is today, if NSA (or any major country,
> organized crime group, or civil rights nonprofit) built an RSA key
> cracker, more than 50% of the RSA keys in use would fall prey to a
> cracker that ONLY handled 1024-bit keys. It's probably more like
> 80-90%, actually. Failing to use 1056, 1120, 1168-bit, etc, keys is
> just plain stupid on our (the defenders') part; it's easy to automate
> the fix.
What factoring algorithms would be optimized for a fixed number of
bits? I suppose one could have hardware that had 1024-bit registers,
which would limit you to no more than 1024 bits; but I can't think of
a factoring algorithm that works for 1024 bits, the top one of which
is 1, but not at least equally well when that top bit happens to be 0.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list