[147240] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Thu Sep 19 13:06:50 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <523A19BF.2040004@cypherpunks.to>
Date: Thu, 19 Sep 2013 09:54:27 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Lucky Green <shamrock@cypherpunks.to>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Crypto discussion list <cryptography@randombit.net>, moti@cs.columbia.edu
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6620535624889880976==
Content-Type: multipart/alternative; boundary=001a11c18e7a6d683604e6bce417
--001a11c18e7a6d683604e6bce417
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Sep 18, 2013 at 5:23 PM, Lucky Green <shamrock@cypherpunks.to>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2013-09-14 08:53, Peter Fairbrother wrote:
>
> > I get that 1024 bits is about on the edge, about equivalent to 80
> > bits or a little less, and may be crackable either now or sometime
> > soon.
>
> Moti Young and others wrote a book back in the 90's (or perhaps) 80's,
> that detailed the strength of various RSA key lengths over time. I am
> too lazy to look up the reference or locate the book on my bookshelf.
> Moti: help me out here? :-)
>
> According to published reports that I saw, NSA/DoD pays $250M (per
> year?) to backdoor cryptographic implementations. I have knowledge of
> only one such effort. That effort involved DoD/NSA paying $10M to a
> leading cryptographic library provider to both implement and set as
> the default the obviously backdoored Dual_EC_DRBG as the default RNG.
>
> This was $10M wasted. While this vendor may have had a dominating
> position in the market place before certain patents expired, by the
> time DoD/NSA paid the $10M, few customers used that vendor's
> cryptographic libraries.
>
> There is no reason to believe that the $250M per year that I have seen
> quoted as used to backdoor commercial cryptographic software is spent
> to any meaningful effect.
>
The most corrosive thing about the whole affair is the distrust it has sewn.
I know a lot of ex-NSA folk and none of them has ever once asked me to drop
a backdoor. And I have worked very closely with a lot of government
agencies.
Your model is probably wrong. Rather than going out to a certain crypto
vendor and asking them to drop a backdoor, I think they choose the vendor
on the basis that they have a disposition to a certain approach and then
they point out that given that they have a whole crypto suite based on EC
wouldn't it be cool to have an EC based random number generator.
I think that the same happens in IETF. I don't think it very likely Randy
Bush was bought off by the NSA when he blocked deployment of DNSSEC for ten
years by killing OPT-IN. But I suspect that a bunch of folk were whispering
in his ear that he needed to be strong and resist what was obviously a
blatant attempt at commercial sabotage etc. etc.
I certainly think that the NSA is behind the attempt to keep the Internet
under US control via ICANN which is to all intents a quango controlled by
the US government. For example, ensuring that the US has the ability to
impose a digital blockade by dropping a country code TLD out of the root.
Right now that is a feeble threat because ICANN would be over in a minute
if they tried. But deployment of DNSSEC will give them the power to do that
and make it stick (and no, the key share holders cannot override the veto,
the shares don't work without the key hardware).
A while back I proposed a scheme based on a quorum signing proposal that
would give countries like China and Brazil the ability to assure themselves
that they were not subjected to the threat of future US capture. I have
also proposed that countries have a block of IPv6 and BGP-AS space assigned
as a 'Sovereign Reserve'. Each country would get a /32 which is more than
enough to allow them to ensure that an artificial shortage of IPv6
addresses can't be used as a blockade. If there are government folk reading
this list who are interested I can show them how to do it without waiting
on permission from anyone.
--
Website: http://hallambaker.com/
--001a11c18e7a6d683604e6bce417
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Wed, Sep 18, 2013 at 5:23 PM, Lucky Green <span dir=3D"=
ltr"><<a href=3D"mailto:shamrock@cypherpunks.to" target=3D"_blank">shamr=
ock@cypherpunks.to</a>></span> wrote:<br><div class=3D"gmail_extra"><div=
class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div class=3D"im"><br>
On 2013-09-14 08:53, Peter Fairbrother wrote:<br>
<br>
> I get that 1024 bits is about on the edge, about equivalent to 80<br>
> bits or a little less, and may be crackable either now or sometime<br>
> soon.<br>
<br>
</div>Moti Young and others wrote a book back in the 90's (or perhaps) =
80's,<br>
that detailed the strength of various RSA key lengths over time. I am<br>
too lazy to look up the reference or locate the book on my bookshelf.<br>
Moti: help me out here? :-)<br>
<br>
According to published reports that I saw, NSA/DoD pays $250M (per<br>
year?) to backdoor cryptographic implementations. I have knowledge of<br>
only one such effort. That effort involved DoD/NSA paying $10M to a<br>
leading cryptographic library provider to both implement and set as<br>
the default the obviously backdoored Dual_EC_DRBG as the default RNG.<br>
<br>
This was $10M wasted. While this vendor may have had a dominating<br>
position in the market place before certain patents expired, by the<br>
time DoD/NSA paid the $10M, few customers used that vendor's<br>
cryptographic libraries.<br>
<br>
There is no reason to believe that the $250M per year that I have seen<br>
quoted as used to backdoor commercial cryptographic software is spent<br>
to any meaningful effect.<br></blockquote><div><br></div><div>The most corr=
osive thing about the whole affair is the distrust it has sewn.</div><div><=
br></div><div>I know a lot of ex-NSA folk and none of them has ever once as=
ked me to drop a backdoor. And I have worked very closely with a lot of gov=
ernment agencies.</div>
<div><br></div><div><br></div><div>Your model is probably wrong. Rather tha=
n going out to a certain crypto vendor and asking them to drop a backdoor, =
I think they choose the vendor on the basis that they have a disposition to=
a certain approach and then they point out that given that they have a who=
le crypto suite based on EC wouldn't it be cool to have an EC based ran=
dom number generator.</div>
<div><br></div><div>I think that the same happens in IETF. I don't thin=
k it very likely Randy Bush was bought off by the NSA when he blocked deplo=
yment of DNSSEC for ten years by killing OPT-IN. But I suspect that a bunch=
of folk were whispering in his ear that he needed to be strong and resist =
what was obviously a blatant attempt at commercial sabotage etc. etc.</div>
<div>=A0</div><div><br></div><div>I certainly think that the NSA is behind =
the attempt to keep the Internet under US control via ICANN which is to all=
intents a quango controlled by the US government. For example, ensuring th=
at the US has the ability to impose a digital blockade by dropping a countr=
y code TLD out of the root. Right now that is a feeble threat because ICANN=
would be over in a minute if they tried. But deployment of DNSSEC will giv=
e them the power to do that and make it stick (and no, the key share holder=
s cannot override the veto, the shares don't work without the key hardw=
are).</div>
<div><br></div><div>A while back I proposed a scheme based on a quorum sign=
ing proposal that would give countries like China and Brazil the ability to=
assure themselves that they were not subjected to the threat of future US =
capture. I have also proposed that countries have a block of IPv6 and BGP-A=
S space assigned as a 'Sovereign Reserve'. Each country would get a=
/32 which is more than enough to allow them to ensure that an artificial s=
hortage of IPv6 addresses can't be used as a blockade. If there are gov=
ernment folk reading this list who are interested I can show them how to do=
it without waiting on permission from anyone.</div>
<div><br></div></div><div><br></div>-- <br>Website: <a href=3D"http://halla=
mbaker.com/">http://hallambaker.com/</a><br>
</div></div>
--001a11c18e7a6d683604e6bce417--
--===============6620535624889880976==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6620535624889880976==--
