[Cryptography] FREAK attack

Jerry Leichter leichter at lrw.com
Sat Mar 7 07:27:15 EST 2015

On Mar 6, 2015, at 9:05 PM, Salz, Rich <rsalz at akamai.com> wrote:
> If FREAK shows 512K RSA can be factored in under half a day, then perhaps 1K RSA, which some have picked for the base year, can probably be factored in a week or two.  So clearly, there has to be at least one change in your timelines.
I'm not sure how you're getting your estimate for 1K RSA.  The RSA-1024 factoring challenge - with a $100,000 prize - remains unsolved.  Indications are that someone will break it "any time now", but it hasn't happened.

Of course, the initial break will likely be with a very large network of machines and a great deal of time.  To get to routine factoring using reasonable resources will take a number of years more.  NIST "deprecated" RSA-1024 as of 2011, but only "disallowed" it starting in 2014, which seems conservative and prudent.

Accepted asymmetric encryption algorithms have not be attacked successfully; they've only "timed out" in the sense that their security parameters have become too small to provide an adequate defense against ever-faster attackers.  The "time out" periods have been predicted well in advance over quite a few years, so can reasonably be planned for.  At least with RSA, trying to stay "way ahead" - say, using 16K keys - is impractical for performance reasons.  What's needed for asymmetric algorithms appears to be:  Pick an algorithm and provide a pre-planned means to increase key sizes over time.

At some point we might well want to "transition" from RSA to ECC.  But there's little reason to have them as *alternatives*.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150307/c59f28a5/attachment.html>

More information about the cryptography mailing list