[10411] in cryptography@c2.net mail archive
RE: Cringely ...or- long-lasting encryption - motivation for ECC?
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Wed Feb 6 12:29:29 2002
From: "Amir Herzberg" <amir@beesites.co.il>
To: "'EKR'" <ekr@rtfm.com>,
"'Eugene Leitl'" <Eugene.Leitl@lrz.uni-muenchen.de>
Cc: "'Cryptography List'" <cryptography@wasabisystems.com>
Date: Wed, 6 Feb 2002 17:34:42 +0200
Message-ID: <000001c1af23$d432cde0$323cfea9@newgenpay>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <kjit9bhpso.fsf@romeo.rtfm.com>
Eric Rescola [ER] replied to Eugene Leitl [EL]:
...
> > EL:
> > Personally, I no longer trust RSA for long term security.
> >
> > This is public-key crypto, not symmetric, so a break of your RSA key
> > means that all your encrypted traffic becomes readable rather than
> > just one message. E.g., if a few years ago you used 512-bit RSA to
> > encrypt a will that was not to be read by anybody until you die,
> > that's tough because it could be read today. Doesn't matter that
you
> > moved to 768 bits and then 1024 in the meantime.
> If you care about Perfect Forward Secrecy, you shouldn't be using
> RSA at all. You should be using DH with a fresh key for each
> exchange. The probability that in the next 50 years your key will
> be compromised in some other way than factoring is sufficiently
> high to motivate this tactic. (In my view, it's vastly higher
> than that of your key being broken by factoring).
Correct... and furthermore - this only dealt with transmitting the
encrypted (and signed?) will, presumably to a trusted lawyer (or other
trusted party). I would also be more concerned about the risk that the
lawyer/party will be corrupted (by software or otherwise...) within the
50 years. Again the solution has nothing to do with ECC vs. RSA...
This is a bit besides the original debate but let me quickly recall the
three main techniques I know of protecting such a long-lasting secret
data:
-- Tamper-resistant hardware
-- Splitting the data (or a strong symmetric key with which the data is
encrypted) among several secure storage units (secret sharing)
-- The same, but proactively re-hashing the shares periodically, so that
an attacker must collect all shares during the same period (proactive
secret sharing).
Regards,
Amir Herzberg
See http://amir.beesites.co.il/book.html for lectures and draft-chapters
from `secure communication and commerce using cryptography`; feedback
welcome!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
