[Cryptography] RSA equivalent key length/strength
zenadsl6186 at zen.co.uk
Wed Sep 25 19:24:12 EDT 2013
On 25/09/13 17:17, ianG wrote:
> On 24/09/13 19:23 PM, Kelly John Rose wrote:
>> I have always approached that no encryption is better than bad
>> encryption, otherwise the end user will feel more secure than they
>> should and is more likely to share information or data they should not
>> be on that line.
> The trap of a false sense of security is far outweighed by the benefit
> of a "good enough" security delivered to more people.
> We're talking multiple orders of magnitude here. The math that counts is:
> Security = Users * Protection.
No. No. No. Please, no? No. Nonononononono.
It's Summa (over i) P_i.I_i where P_i is the protection provided to
information i, and I_i is the importance of keeping information i
Actually it's more complex than that, as the importance isn't a linear
variable, and information isn't either - but there's a start.
Increasing i by increasing users may have little effect on the overall
security, if the protecting the information they transmit isn't
And saying that something is secure - which is what people who are not
cryptographers think you are doing when you recommend that something -
tends to increase I_i, the importance of the information to be protected.
And if the new system isn't secure against expensive attacks, then
overall security may be lessened by it's introduction. Even if Users are
I have about 30 internet passwords, only three of which are in any way
important to me - those are the banking ones. I use a simple password
for all the rest, because I don't much care if they are compromised.
But I use the same TLS for all these sites.
Now if that TLS is broken as far as likely attacks against the banks go,
I care. I don't much care if it's secure against attacks against the
other sites like my electricity and gas bills.
I might use TLS a lot more for non-banking sites, but I don't really
require it to be secure for those. I do require it to be secure for banking.
And I'm sure that some people would like TLS to be secure against the
NSA for, oh, let's say 10 years. Which 1024-bit DHE will not provide.
If you really want to recommend 1024-bit DHE, then call a spade a spade
- for a start, it's EKS, ephemeral key setup. It doesn't offer much in
the way of forward secrecy, and it offers nothing at all in the way of
perfect forward secrecy.
It's a political stunt to perhaps make trawling attacks by NSA more
expensive (in cases where the website has given NSA the master keys [*])
- but it may make targeted attacks by NSA cheaper and easier.
And in ten years NSA *will* be able to read all your 1024-bit DHE
traffic, which it is storing right now against the day.
[*] does anyone else think it odd that the benefit of introducing
1024-bit DHE, as opposed to 2048-bit RSA, is only active when the
webserver has given or will give NSA the keys? Just why is this being
considered for recommendation?
-- Peter Fairbrother
> The cryptography mailing list
> cryptography at metzdowd.com
More information about the cryptography