From owner-freebsd-security  Mon Mar 25 19:37:17 2002
Delivered-To: freebsd-security@freebsd.org
Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2])
	by hub.freebsd.org (Postfix) with ESMTP id 8E58537B416
	for <freebsd-security@freebsd.org>; Mon, 25 Mar 2002 19:37:13 -0800 (PST)
Received: from heraldgate2.oucs.ox.ac.uk
	([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim)
	by oxmail.ox.ac.uk with esmtp (Exim 3.34 #2)
	id 16phlo-0007m3-01
	for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000
Received: from dhcp1025.wadham.ox.ac.uk ([163.1.161.25] helo=piii600.wadham.ox.ac.uk)
	by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1)
	id 16phlo-0001Vp-00
	for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000
X-Info-RBL1: ox.ac.uk filters email against various lists.
X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca
Message-Id: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca>
X-Sender: cperciva@popserver.sfu.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Tue, 26 Mar 2002 03:37:10 +0000
To: freebsd-security@freebsd.org
From: Colin Percival <colin.percival@wadham.ox.ac.uk>
Subject: It's time for those 2048-, 3072-, and 4096-bit keys?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

   In light of DJB's widely-cited paper 
(http://cr.yp.to/papers.html#nfscircuit) on integer factorization circuits, 
along with subsequent analysis which suggests that such attacks might be 
practical, is it time to change the default key sizes in OpenSSH?
   While the practicality of the cracking machine proposed is still a 
matter of debate, it seems that the risk is sufficient, and the cost of 
increasing key sizes is sufficiently small, that there is little 
justfication for not switching to a larger default key size.  While a 
couple years ago it might have been argued that the initial cost of 
generating longer keys would be excessive, I can now generate a 4096-bit in 
about 30 seconds on a rather low-end box, so I don't think key generation 
time is particularly relevant any more.
   Is there any other reason for not changing the default key size?

Colin Percival


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message