[147315] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sat Sep 28 12:45:50 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <201309270759.r8R7xFqQ002680@new.toad.com>
Date: Fri, 27 Sep 2013 11:23:27 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: John Gilmore <gnu@toad.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6033549011539260110==
Content-Type: multipart/alternative; boundary=089e0160bb047282b504e75f1100
--089e0160bb047282b504e75f1100
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Sep 27, 2013 at 3:59 AM, John Gilmore <gnu@toad.com> wrote:
> > And the problem appears to be compounded by dofus legacy implementations
> > that don't support PFS greater than 1024 bits. This comes from a
> > misunderstanding that DH keysizes only need to be half the RSA length.
> >
> > So to go above 1024 bits PFS we have to either
> >
> > 1) Wait for all the servers to upgrade (i.e. never do it because the
> won't
> > upgrade)
> >
> > 2) Introduce a new cipher suite ID for 'yes we really do PFS at 2048 bits
> > or above'.
>
> Can the client recover and do something useful when the server has a
> buggy (key length limited) implementation? If so, a new cipher suite
> ID is not needed, and both clients and servers can upgrade asynchronously,
> getting better protection when both sides of a given connection are
> running the new code.
>
Actually, it turns out that the problem is that the client croaks if the
server tries to use a key size that is bigger than it can handle. Which
means that there is no practical way to address it server side within the
current specs.
> In the case of (2) I hope you mean "yes we really do PFS with an
> unlimited number of bits". 1025, 2048, as well as 16000 bits should work.
>
There is no reason to use DH longer than the key size in the certificate
and no reason to use a shorter DH size either.
Most cryptolibraries have a hard coded limit at 4096 bits and there are
diminishing returns to going above 2048. Going from 4096 to 8192 bits only
increases the work factor by a very small amount and they are really slow
which means we end up with DoS considerations.
We really need to move to EC above RSA. Only it is going to be a little
while before we work out which parts have been contaminated by NSA
interference and which parts are safe from patent litigation. RIM looks set
to collapse with or without the private equity move. The company will be
bought with borrowed money and the buyers will use the remaining cash to
pay themselves a dividend. Mitt Romney showed us how that works.
We might possibly get lucky and the patents get bought out by a white
knight. But all the mobile platform providers are in patent disputes right
now and I can't see it likely someone will plonk down $200 million for a
bunch of patents and then make the crown jewels open.
Problem with the NSA is that its Jekyll and Hyde. There is the good side
trying to improve security and the dark side trying to break it. Which side
did the push for EC come from?
--
Website: http://hallambaker.com/
--089e0160bb047282b504e75f1100
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Sep 27, 2013 at 3:59 AM, John Gilmore <span dir=3D"ltr"><=
;<a href=3D"mailto:gnu@toad.com" target=3D"_blank">gnu@toad.com</a>></sp=
an> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">> And the problem appea=
rs to be compounded by dofus legacy implementations<br>
> that don't support PFS greater than 1024 bits. This comes from a<b=
r>
> misunderstanding that DH keysizes only need to be half the RSA length.=
<br>
><br>
> So to go above 1024 bits PFS we have to either<br>
><br>
> 1) Wait for all the servers to upgrade (i.e. never do it because the w=
on't<br>
> upgrade)<br>
><br>
> 2) Introduce a new cipher suite ID for 'yes we really do PFS at 20=
48 bits<br>
> or above'.<br>
<br>
</div>Can the client recover and do something useful when the server has a<=
br>
buggy (key length limited) implementation? =A0If so, a new cipher suite<br>
ID is not needed, and both clients and servers can upgrade asynchronously,<=
br>
getting better protection when both sides of a given connection are<br>
running the new code.<br></blockquote><div><br></div><div>Actually, it turn=
s out that the problem is that the client croaks if the server tries to use=
a key size that is bigger than it can handle. Which means that there is no=
practical way to address it server side within the current specs.</div>
<div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In the case of (2) I hope you mean "yes we really do PFS with an<br>
unlimited number of bits". =A01025, 2048, as well as 16000 bits should=
work.<br></blockquote><div><br></div><div>There is no reason to use DH lon=
ger than the key size in the certificate and no reason to use a shorter DH =
size either.</div>
<div><br></div><div>Most cryptolibraries have a hard coded limit at 4096 bi=
ts and there are diminishing returns to going above 2048. Going from 4096 t=
o 8192 bits only increases the work factor by a very small amount and they =
are really slow which means we end up with DoS considerations.</div>
<div><br></div><div>We really need to move to EC above RSA. Only it is goin=
g to be a little while before we work out which parts have been contaminate=
d by NSA interference and which parts are safe from patent litigation. RIM =
looks set to collapse with or without the private equity move. The company =
will be bought with borrowed money and the buyers will use the remaining ca=
sh to pay themselves a dividend. Mitt Romney showed us how that works.</div=
>
<div><br></div><div>We might possibly get lucky and the patents get bought =
out by a white knight. But all the mobile platform providers are in patent =
disputes right now and I can't see it likely someone will plonk down $2=
00 million for a bunch of patents and then make the crown jewels open.</div=
>
<div><br></div><div><br></div><div>Problem with the NSA is that its Jekyll =
and Hyde. There is the good side trying to improve security and the dark si=
de trying to break it. Which side did the push for EC come from?</div><div>
<br></div><div><br></div><div>=A0</div></div><div><br></div>-- <br>Website:=
<a href=3D"http://hallambaker.com/">http://hallambaker.com/</a><br>
</div></div>
--089e0160bb047282b504e75f1100--
--===============6033549011539260110==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6033549011539260110==--
