[4590] in cryptography@c2.net mail archive
Re: key vulnerability
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Tue May 4 13:42:19 1999
In-Reply-To: <3.0.5.32.19990504091611.00834e80@202.54.12.17>
Date: Tue, 4 May 1999 10:05:49 -0400
To: Udhay Shankar N <udhay@pobox.com>, cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
At 9:16 AM -0400 5/4/99, Udhay Shankar N wrote:
>><http://www.nytimes.com/library/tech/99/05/biztech/articles/02encr.html>
>
>[...]
>
>>"Researchers said that if his machine worked it would mean that
>>cryptographic systems with keys of 512 bits or less -- that is, keys less
>>than about 150 digits long -- would be vulnerable in the future, an
>>exposure that would have seemed unthinkable only five years ago. The longer
>>1,024-bit keys that are available today would not be vulnerable at present."
>
>I'm curious -- I'm in the process of phasing out my 768-bit RSA key, but
>would it still be considered secure ? And if so, for how long ?
>
No one can say with certainty how long a given RSA key size will be secure.
Here is what the RSA web site
http://www.rsa.com/rsalabs/faq/html/3-1-5.html has to say on the matter:
"A more recent study of RSA key-size security can be found in an article by
Odlyzko [Odl95]. Odlyzko considers the security of RSA key sizes based on
factoring techniques available in 1995 and on potential future
developments, and he also considers the ability to tap large computational
resources via computernetworks. In 1997, a specific assessment of the
security of 512-bit RSA keys shows that one maybe factored for less than
$1,000,000 in cost and eight months of effort [Rob95d]. It is believed that
512-bit keys no longer provide sufficient security for anything more than
very short-term security needs. RSA Laboratories currently recommends key
sizes of 768 bits for personal use, 1024 bits for corporate use, and 2048
bits for extremely valuable keys like the root-key pair used by a
certifying authority."
Arnold Reinhold
