[Cryptography] RSA equivalent key length/strength

Bill Frantz frantz at pwpconsult.com
Sun Sep 22 15:16:06 EDT 2013 

On 9/21/13 at 5:07 PM, code at funwithsoftware.org (Patrick 
Pelletier) wrote:

>I'm inclined to agree with you, but you might be 
>interested/horrified in the "1024 bits is enough for anyone" 
>debate currently unfolding on the TLS list:
>
>http://www.ietf.org/mail-archive/web/tls/current/msg10009.html

I think that this comment is a serious misinterpretation of the 
discussion on the TLS list.

The RFC under discussion is a Best Current Practices (BCP) RFC. 
Some people, including me, think that changes to the protocol or 
current implementations of the protocol are out of scope for a 
BCP document.

There are several implementations of TLS which will only do 1024 
bit Diffie-Hellman ephemeral (DHE)[1]. The question as I see it 
is: Are we better off recommending forward security with 1024 
bit DHE, with the possibility that large organizations can brute 
force it; or using the technique of having the client encrypt 
the keying material with the server's RSA key with the 
probability that the same large organizations have acquired the 
server's secret key.

Now there are good arguments on both sides.

The nearly complete database of who talks to who allows 
"interesting" communications [2] to be singled out for attacks 
on the 1024 bit DHE. Cracking all the DHE exchanges is probably 
more work than these large organizations can do with current 
technology. However, it is almost certain that these sessions 
will be readable in the not too distant future.

It is widely believed that most large sites have had their RSA 
secret keys compromised, which makes all these sessions are 
trivially readable.

I think that the vast majority of TLS list commenters want to 
have TLS 1.3 include fixes for the problems that have been 
identified. However, getting TLS 1.3 approved is at least a 
year, and getting it through the FIPS process will add at least 
another year. We already know that these large organizations 
work to delay better crypto, sometimes using the argument that 
we should wait for the perfect solution rather than 
incrementally adopt better solutions in the mean time.

Cheers - Bill

[1] Implementations which will only do 1024 bit DHE are said to 
include: Apache with OpenSSL, Java, and Windows crypt libraries 
(used by Internet Explorer). If longer keys are used by the 
other side, they abort the connection attempt.

[2] I actually believe NSA when they say they aren't interested 
in grandma's cookie recipe. I am, but I like good cookies. :0)

-----------------------------------------------------------------------
Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506      | it.                          | 16345 
Englewood Ave
www.pwpconsult.com |              - Scott McNealy | Los Gatos, 
CA 95032

More information about the cryptography mailing list