2048 bits, damn the electrons! [rt at openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

Thor Lancelot Simon tls at rek.tjls.com
Thu Sep 30 11:41:18 EDT 2010 

On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote:
> Thor Lancelot Simon writes:
> 
> > a significant net loss of security, since the huge increase in computation
> > required will delay or prevent the deployment of "SSL everywhere".
> 
> That would only happen if we (as security experts) allowed web developers to
> believe that the speed of RSA is the limiting factor for web application
> performance.

At 1024 bits, it is not.  But you are looking at a factor of *9* increase
in computational cost when you go immediately to 2048 bits.  At that point,
the bottleneck for many applications shifts, particularly those which are
served by offload engines specifically to move the bottleneck so it's not
RSA in the first place.

Also, consider devices such as deep-inspection firewalls or application
traffic managers which must by their nature offload SSL processing in
order to inspect and possibly modify data before application servers see 
it.  The inspection or modification function often does not parallelize
nearly as well as the web application logic itself, and so it is often
not practical to handle it in a distributed way and "just add more CPU".

At present, these devices use the highest performance modular-math ASICs
available and can just about keep up with current web applications'
transaction rates.  Make the modular math an order of magnitude slower
and suddenly you will find you can't put these devices in front of some
applications at all.

This too will hinder the deployment of "SSL everywhere", and handwaving
about how for some particular application, the bottleneck won't be at
the front-end server even if it is an order of magnitude slower for it
to do the RSA operation itself will not make that problem go away.

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list