[Cryptography] Encryption opinion

Tom Ritter tom at ritter.vg
Mon Aug 18 17:46:03 EDT 2014


On 17 August 2014 07:29, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Another example of this occurs with online commerce.  Turn off every cipher in
> your browser except single DES (I'm not sure if you can still enable RC4/40)
> and go to your bank and transfer some funds, or go to eBay and buy something.
> Watch the complete lack of anything that arises from this.

I don't believe you. You're a wonderful guy with fantastic choice in
restaurants, but I'm going to need to check this myself. ;)

This is not particularly easy to verify, but I downloaded Firefox ESR
17 (which still has the old ciphers), and flipped them all. RC4/56,
Single DES, RC4/40, NULL, I've got all the bad ones and none of the
good ones.  Then I went to as many sites as I could think of:

Ebay - Nope
Westpac.com.au - nope
Wells Fargo - nope
Bank of America - nope
Google Search - nope (made this tricky, had to use bing)
HSBC US, UK, and HK - nope
BoA - nope
Barclays UK - nope
Chase - no
Citi - nope
Vanguard - nope

None of those sites accepted the SSL handshake.  I'm certain that
there are still some banks out there that allow weak ciphers, but
saying it's the norm does not seem to be correct from my testing.

Moving back to speaking generally:

On 17 August 2014 14:13, Steve Weis <steveweis at gmail.com> wrote:
> Regardless, RSA-512 is easily factorable by an individual. For example,
> Zachary Harris factored Google's RSA-512 DKIM key for fun two years ago,
> which precipitated major sites upgrading their DKIM keys:
> http://www.wired.com/2012/10/dkim-vulnerability-widespread/all/

Also, FWIW, I was doing 30-hour RSA-512 factorings in 2011.  Haven't
tried on new hardware, probably down to a day now, maybe faster.  The
square root is not nicely parallelized.

Factoring RSA-1024 is definitely a feat of accomplishment, and you're
right, if I was going to go after 1024 bit, I'd go factor one the
1024-bit CA roots Mozilla is still shipping, not Jorge's app.  But I
would be genuinely surprised and disappointed if there wasn't an
academic project sieving for RSA-1024 right now.  With the right team
of grad students and access to a good cluster, I would expect it to
take 2-3 years calendar time and $1m (plus some free sieving time) to
fall.  And when that happens, even more than today, using RSA-1024 is
a marketing disaster.

But choosing such weak cryptography, when stronger, faster, smaller
options exist seems foolish.  If you can integrate one of djb's
libraries for curve-25519 into your code, and you're reasonably
careful, ECC's 'brittleness' won't be any more brittle than RSA.
_Especially_ when you factor in Steve's observations about unpadded
RSA.

Also, Jorge, you should reach out to Sandy at
https://wiki.openitp.org/events:techno-activism_3rd_mondays:new_york
and visit them. There are a lot of technologists and crypto
enthusiasts in NYC; I can introduce you to some directly as well.

-tom


More information about the cryptography mailing list