[Cryptography] RSA equivalent key length/strength

Mon Sep 30 16:31:09 EDT 2013

On 26/09/13 07:52, ianG wrote:
> On 26/09/13 02:24 AM, Peter Fairbrother wrote:
>> On 25/09/13 17:17, ianG wrote:
>>> On 24/09/13 19:23 PM, Kelly John Rose wrote:
>>>
>>>> I have always approached that no encryption is better than bad
>>>> encryption, otherwise the end user will feel more secure than they
>>>> should and is more likely to share information or data they should not
>>>> be on that line.
>>>
>>>
>>> The trap of a false sense of security is far outweighed by the benefit
>>> of a "good enough" security delivered to more people.

Given that mostly security works (or it should), what's really important 
is where that security fails - and "good enough" security can drive out 
excellent security.

We can easily have excellent security in TLS (mk 2?) - the crypto part 
of TLS can be unbreakable, code to follow (hah!) - but 1024-bit DHE 
isn't say unbreakable for 10 years, far less for a lifetime.

We are only talking about security against an NSA-level opponent here. 
Is that significant?

Eg, Tor isn't robust against NSA-level opponents. Is OTR?

>>> We're talking multiple orders of magnitude here.  The math that counts
>>> is:
>>>
>>>     Security = Users * Protection.
>>
>> No. No. No. Please, no? No. Nonononononono.
>>
>> It's Summa (over i)  P_i.I_i where P_i is the protection provided to
>> information i, and I_i is the importance of keeping information i
>> protected.
>
>
> I'm sorry, I don't deal in omniscience.Typically we as suppliers of
> some security product have only the faintest idea what our users are up
> to.  (Some consider this a good thing, it's a privacy quirk.)

No, and you don't know how important your opponent thinks the 
information is either, and therefore what resources he might be willing 
or able to spend to get access to it - but we can make some crypto which 
(we think) is unbreakable.

No matter who or what resources, unbreakable. You can rely on the math.

And it doesn't usually cost any more than we are willing to pay - heck, 
the price is usually lost in the noise.

Zero crypto (theory) failures.

Ok, real-world systems won't ever meet that standard - but please don't 
hobble them with failure before they start trying.

> With that assumption, the various i's you list become some sort of
> average

Do you mean I-i's?

Ah, average, Which average might that be? Hmmm, independent 
distributions of two variables - are you going to average them, then 
multiply the averages?

That approximation doesn't actually work very well, mathematically 
speaking - as I'm sure you know.

> This is why the security model that is provided is typically
> one-size-fits-all, and the most successful products are typically the
> ones with zero configuration and the best fit for the widest market.

I totally agree with zero configuration - and best fit - but you are 
missing the main point.

Would 1024-bit DHE give a reasonable expectation of say, ten years 
unbreakable by NSA?

If not, and Manning or Snowden wanted to use TLS, they would likely be 
busted.

Incidentally, would OTR pass that test?

-- Peter Fairbrother

(sorry for the sloppy late reply)

(I'm talking about TLS2, not a BCP - but the BCP is significant)
(how's the noggin? how's Waterlooville?? can I come visit sometime?)