From owner-freebsd-security Thu Aug 29 13: 3:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB4D337B400 for ; Thu, 29 Aug 2002 13:03:05 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id B06A743E75 for ; Thu, 29 Aug 2002 13:03:04 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 5EADED97DC; Thu, 29 Aug 2002 16:03:03 -0400 (EDT) To: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Long RSA keys From: "Perry E. Metzger" Date: 29 Aug 2002 16:03:03 -0400 Message-ID: <8765xtzb48.fsf@snark.piermont.com> Lines: 32 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to make something absolutely clear. I think it is always a good idea to use the best crypto your application can comfortably handle. If your machine is fast enough to use 2048 bit RSA keys, well, no harm is done by it, and if Dan Bernstein is correct, 1024 bit keys will be obsolete sooner than we thought so it may be worthwhile. There is always a tradeoff, and 2048 bit keys are unacceptably slow on old hardware or for many embedded apps, but its not an awful idea if you don't care about the speed penalty, like if you have only very modern hardware. All that said, anyone claiming that it is now affordable to routinely crack 1024 bit RSA keys is unfamiliar with the facts. Maybe (and its a big maybe) the NSA can afford to dedicate multi-hundred million or billion dollar boxes for a months or longer do it for a high value key (assuming that it is possible at all), or maybe the NSA knows things about factoring we don't, but it is not bloody likely that everyday crackers or even Fortune 100 companies will be doing this stuff any time soon. If you think that you have something new and exciting to tell me that I've never heard of before, check if it has been published in Crypto or Eurocrypt or something first. If you don't know enough to read those conference proceedings, you don't know enough to have an intelligent opinion on the cost of building a machine to run djb's NFS factoring ideas. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message