[Cryptography] FREAK attack
Jerry Leichter
leichter at lrw.com
Sat Mar 7 07:27:15 EST 2015
On Mar 6, 2015, at 9:05 PM, Salz, Rich <rsalz at akamai.com> wrote:
> If FREAK shows 512K RSA can be factored in under half a day, then perhaps 1K RSA, which some have picked for the base year, can probably be factored in a week or two. So clearly, there has to be at least one change in your timelines.
I'm not sure how you're getting your estimate for 1K RSA. The RSA-1024 factoring challenge - with a $100,000 prize - remains unsolved. Indications are that someone will break it "any time now", but it hasn't happened.
Of course, the initial break will likely be with a very large network of machines and a great deal of time. To get to routine factoring using reasonable resources will take a number of years more. NIST "deprecated" RSA-1024 as of 2011, but only "disallowed" it starting in 2014, which seems conservative and prudent.
Accepted asymmetric encryption algorithms have not be attacked successfully; they've only "timed out" in the sense that their security parameters have become too small to provide an adequate defense against ever-faster attackers. The "time out" periods have been predicted well in advance over quite a few years, so can reasonably be planned for. At least with RSA, trying to stay "way ahead" - say, using 16K keys - is impractical for performance reasons. What's needed for asymmetric algorithms appears to be: Pick an algorithm and provide a pre-planned means to increase key sizes over time.
At some point we might well want to "transition" from RSA to ECC. But there's little reason to have them as *alternatives*.
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150307/c59f28a5/attachment.html>
More information about the cryptography
mailing list