[Cryptography] RSA equivalent key length/strength

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Sep 25 19:24:12 EDT 2013

On 25/09/13 17:17, ianG wrote:
> On 24/09/13 19:23 PM, Kelly John Rose wrote:
>> I have always approached that no encryption is better than bad
>> encryption, otherwise the end user will feel more secure than they
>> should and is more likely to share information or data they should not
>> be on that line.
> The trap of a false sense of security is far outweighed by the benefit
> of a "good enough" security delivered to more people.
> We're talking multiple orders of magnitude here.  The math that counts is:
>     Security = Users * Protection.

No. No. No. Please, no? No. Nonononononono.

It's Summa (over i)  P_i.I_i where P_i is the protection provided to 
information i, and I_i is the importance of keeping information i 

Actually it's more complex than that, as the importance isn't a linear 
variable, and information isn't either - but there's a start.

Increasing i by increasing users may have little effect on the overall 
security, if the protecting the information they transmit isn't 
particularly valuable.

And saying that something is secure - which is what people who are not 
cryptographers think you are doing when you recommend that something - 
tends to increase I_i, the importance of the information to be protected.

And if the new system isn't secure against expensive attacks, then 
overall security may be lessened by it's introduction. Even if Users are 

I have about 30 internet passwords, only three of which are in any way 
important to me - those are the banking ones. I use a simple password 
for all the rest, because I don't much care if they are compromised.

But I use the same TLS for all these sites.

Now if that TLS is broken as far as likely attacks against the banks go, 
I care. I don't much care if it's secure against attacks against the 
other sites like my electricity and gas bills.

I might use TLS a lot more for non-banking sites, but I don't really 
require it to be secure for those. I do require it to be secure for banking.

And I'm sure that some people would like TLS to be secure against the 
NSA for, oh, let's say 10 years. Which 1024-bit DHE will not provide.

If you really want to recommend 1024-bit DHE, then call a spade a spade 
- for a start, it's EKS, ephemeral key setup. It doesn't offer much in 
the way of forward secrecy, and it offers nothing at all in the way of 
perfect forward secrecy.

It's a political stunt to perhaps make trawling attacks by NSA more 
expensive (in cases where the website has given NSA the master keys [*]) 
- but it may make targeted attacks by NSA cheaper and easier.

And in ten years NSA *will* be able to read all your 1024-bit DHE 
traffic, which it is storing right now against the day.

[*] does anyone else think it odd that the benefit of introducing 
1024-bit DHE, as opposed to 2048-bit RSA, is only active when the 
webserver has given or will give NSA the keys? Just why is this being 
considered for recommendation?

Yes, stunt.

-- Peter Fairbrother

> iang
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list