[Cryptography] Encryption opinion
Michael Kjörling
michael at kjorling.se
Fri Aug 15 03:50:57 EDT 2014
On 14 Aug 2014 15:38 -0400, from jp at gotenna.com (Jorge Perdomo):
> We launched publicly a few weeks ago with the plans of using 1024-bit RSA
> for our encryption, but have received a lot of complaints from people
> telling us that RSA wasn't safe and whatnot. I'm not an expert, but
> through our research we felt like 1024RSA for a 160 character text message
> was plenty strong, but we could be wrong.
First off, kudos for recognizing your limitations, reaching out and
trying to do better. Lots of companies wouldn't.
Before you begin making changes, though, _please_ take some time to
_clearly define the threat model_ you are trying to protect against,
if you haven't already. Without a clearly defined threat model, it
becomes very difficult to tell whether the security provided is good
enough to meet the threat model. Also please be clear _to users_ about
the threat model you are attempting to protect your users against; I
would suggest publishing a set of documents outlining it (both in
layman's terms as well as a more in-depth technical discussion) on
your web site, someplace where it will be easy to find for those
interested.
Note that _academic_ 768-bit RSA factoring was reported in early 2010,
and that paper [1] suggests (section 3) that factoring a 1024-bit RSA
modulus _by academic effort_ is not likely possible before around 2015
and optimistically possible before around 2020. That would give a
1024-bit solution a few years of breathing room, at most, _against
academic efforts_.
That last part is important. We can most likely safely assume that
government agencies (not only in the USA) have access to significantly
more computing power, should they decide the communications is worth
the effort to decrypt, and it is also possible that they might have
access to methods of attack not known in the academic community. I
also believe it's safe to say that we know the NSA (and likely
others!) is vacuuming up everything they can get their hands on, and
that the NSA _specifically_ stores encrypted communications. That
means that any solution that may need to provide longer-term security
(as opposed to ephemeral security) must be able to withstand the
cryptanalysis and computing power of not only a large government
agency today, but in the case of high-value targets quite possibly
decades into the future. (If someone breaks into your house or mugs
you on the street and steals your cell phone, at least you'll know,
and can take steps to mitigate the damage. If someone sniffs your
encrypted traffic, stores and/or decrypts it, you won't necessarily
ever know, and hence can't take mitigating steps.)
Consider that NIST already in 2007 recommended [2] that a minimum of
80 bits of security shall be provided _until 2010_ for non-classified
data; between 2011 and 2030, 112 bits minimum security shall be
provided; and after 2030, 128 bits minimum. ([2], section 5.6.2.)
Looking at [2] table 2 (part of section 5.6.1), 80 bits of security is
provided by RSA-1024, 112 bits of security is provided by RSA-2048 and
128 bits of security is provided by RSA-3072. These numbers are not
necessarily current, but should be close enough. Obviously, we are
currently in the bracket where 2048-bit RSA would be recommended if
you are using RSA, providing 112 bits of security (brute force
symmetric key length equivalent).
[1] http://eprint.iacr.org/2010/006.pdf
[2] http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the cryptography
mailing list