[147357] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Mon Sep 30 18:36:43 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Sep 2013 21:31:09 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: ianG <iang@iang.org>
In-Reply-To: <5243D9B7.6060400@iang.org>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 26/09/13 07:52, ianG wrote:
> On 26/09/13 02:24 AM, Peter Fairbrother wrote:
>> On 25/09/13 17:17, ianG wrote:
>>> On 24/09/13 19:23 PM, Kelly John Rose wrote:
>>>
>>>> I have always approached that no encryption is better than bad
>>>> encryption, otherwise the end user will feel more secure than they
>>>> should and is more likely to share information or data they should not
>>>> be on that line.
>>>
>>>
>>> The trap of a false sense of security is far outweighed by the benefit
>>> of a "good enough" security delivered to more people.
Given that mostly security works (or it should), what's really important
is where that security fails - and "good enough" security can drive out
excellent security.
We can easily have excellent security in TLS (mk 2?) - the crypto part
of TLS can be unbreakable, code to follow (hah!) - but 1024-bit DHE
isn't say unbreakable for 10 years, far less for a lifetime.
We are only talking about security against an NSA-level opponent here.
Is that significant?
Eg, Tor isn't robust against NSA-level opponents. Is OTR?
>>> We're talking multiple orders of magnitude here. The math that counts
>>> is:
>>>
>>> Security = Users * Protection.
>>
>> No. No. No. Please, no? No. Nonononononono.
>>
>> It's Summa (over i) P_i.I_i where P_i is the protection provided to
>> information i, and I_i is the importance of keeping information i
>> protected.
>
>
> I'm sorry, I don't deal in omniscience.Typically we as suppliers of
> some security product have only the faintest idea what our users are up
> to. (Some consider this a good thing, it's a privacy quirk.)
No, and you don't know how important your opponent thinks the
information is either, and therefore what resources he might be willing
or able to spend to get access to it - but we can make some crypto which
(we think) is unbreakable.
No matter who or what resources, unbreakable. You can rely on the math.
And it doesn't usually cost any more than we are willing to pay - heck,
the price is usually lost in the noise.
Zero crypto (theory) failures.
Ok, real-world systems won't ever meet that standard - but please don't
hobble them with failure before they start trying.
> With that assumption, the various i's you list become some sort of
> average
Do you mean I-i's?
Ah, average, Which average might that be? Hmmm, independent
distributions of two variables - are you going to average them, then
multiply the averages?
That approximation doesn't actually work very well, mathematically
speaking - as I'm sure you know.
> This is why the security model that is provided is typically
> one-size-fits-all, and the most successful products are typically the
> ones with zero configuration and the best fit for the widest market.
I totally agree with zero configuration - and best fit - but you are
missing the main point.
Would 1024-bit DHE give a reasonable expectation of say, ten years
unbreakable by NSA?
If not, and Manning or Snowden wanted to use TLS, they would likely be
busted.
Incidentally, would OTR pass that test?
-- Peter Fairbrother
(sorry for the sloppy late reply)
(I'm talking about TLS2, not a BCP - but the BCP is significant)
(how's the noggin? how's Waterlooville?? can I come visit sometime?)
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography