[Cryptography] Further proof that crypto is more like the fashion industry than the security industry
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Dec 22 22:15:10 EST 2023
[I wrote this a few years ago around 2020, probably enough time has passed
that it's safe to post by now].
I was asked to go through a lengthy security standard from a professional body
which is mostly derived from the NIST requirements and see what it would take
to comply with it. So let's see what we can learn from it...
Firstly, a DLP key used for DSA is secure at 1024 bits, but if exactly the
same key is used for DH it's only secure at 4096 bits. Who knew that the DLP
was much easier to solve based on what the key is used for? Must remember to
label any DH keys as "for DSA use only" to make them more secure.
RSA on the other hand is secure at 2048 bits. I guess that covers all the
bases for power-of-two lengths. If Elgamal wants a turn, it'll have to take
8192 bits.
Next, you're not allowed to use 32-bit systems to do crypto any more. This is
because if you want to use ECC you have to use a minimum of P384/SHA384, and
that pretty much requires a 64-bit word size. Unfortunately they've
inexplicably omitted the reference to the paper that breaks SHA256 so it's not
possible to tell what the problem is with using the universal-standard P256/
SHA256 rather than the barely-used P384/SHA384.
Then there's the reference to OpenSSH in the section on approved protocols,
and specifically versions that default to homebrew mechanisms that the OpenSSH
folks dreamed up, none of which are remotely NIST-approved or compliant with
any of the above.
And so it goes...
Peter.
More information about the cryptography
mailing list