[147272] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Bill Frantz)
Tue Sep 24 09:40:38 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 22 Sep 2013 12:16:06 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Patrick Pelletier <code@funwithsoftware.org>
In-Reply-To: <523E34A6.2010004@funwithsoftware.org>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 9/21/13 at 5:07 PM, code@funwithsoftware.org (Patrick
Pelletier) wrote:
>I'm inclined to agree with you, but you might be
>interested/horrified in the "1024 bits is enough for anyone"
>debate currently unfolding on the TLS list:
>
>http://www.ietf.org/mail-archive/web/tls/current/msg10009.html
I think that this comment is a serious misinterpretation of the
discussion on the TLS list.
The RFC under discussion is a Best Current Practices (BCP) RFC.
Some people, including me, think that changes to the protocol or
current implementations of the protocol are out of scope for a
BCP document.
There are several implementations of TLS which will only do 1024
bit Diffie-Hellman ephemeral (DHE)[1]. The question as I see it
is: Are we better off recommending forward security with 1024
bit DHE, with the possibility that large organizations can brute
force it; or using the technique of having the client encrypt
the keying material with the server's RSA key with the
probability that the same large organizations have acquired the
server's secret key.
Now there are good arguments on both sides.
The nearly complete database of who talks to who allows
"interesting" communications [2] to be singled out for attacks
on the 1024 bit DHE. Cracking all the DHE exchanges is probably
more work than these large organizations can do with current
technology. However, it is almost certain that these sessions
will be readable in the not too distant future.
It is widely believed that most large sites have had their RSA
secret keys compromised, which makes all these sessions are
trivially readable.
I think that the vast majority of TLS list commenters want to
have TLS 1.3 include fixes for the problems that have been
identified. However, getting TLS 1.3 approved is at least a
year, and getting it through the FIPS process will add at least
another year. We already know that these large organizations
work to delay better crypto, sometimes using the argument that
we should wait for the perfect solution rather than
incrementally adopt better solutions in the mean time.
Cheers - Bill
[1] Implementations which will only do 1024 bit DHE are said to
include: Apache with OpenSSL, Java, and Windows crypt libraries
(used by Internet Explorer). If longer keys are used by the
other side, they abort the connection attempt.
[2] I actually believe NSA when they say they aren't interested
in grandma's cookie recipe. I am, but I like good cookies. :0)
-----------------------------------------------------------------------
Bill Frantz | Privacy is dead, get over | Periwinkle
(408)356-8506 | it. | 16345
Englewood Ave
www.pwpconsult.com | - Scott McNealy | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography