PDA

View Full Version : Otto - *024 bit RSA keys crackable?



Blacksheep
03-27-2002, 01:49 AM
Good to see you on the ***rd Otto.

What do you think of this?

http://archives.neohapsis.com/archives/bugtraq/2002-0*/0*06.html

Unreggie
03-27-2002, 10:52 AM
"The security implications of a practical breakability of *024-bit RSA
and DH keys are staggering, since of the following systems as currently
deployed tend to utilize keys larger than *024-bits:

- HTTPS
- SSH
- IPSec
- S/MIME
- PGP "

Shouldn't that read "since none of the following..."?

Blacksheep
03-27-2002, 08:19 PM
Yep, I think you are correct - I didn't proof read it.

Otto
03-29-2002, 04:13 PM
Hello Blacksheep,


Originally posted by Blacksheep
Good to see you on the ***rd Otto.

What do you think of this?

http://archives.neohapsis.com/archives/bugtraq/2002-0*/0*06.html

I guess think just what everyone else thinks of this:

(a) It's scary, because you can change your own PGP keys, but you can't tell the owner of a secure web store (or any other site / program using 5*2-bit SSL) to upgrade today.

(b) It's time to use 40*6-bit keys unless you're already using them. At least you can keep your e-mail secure.


Regards,
Otto

DATA
04-12-2002, 08:04 AM
HI BLACK SHEEP,

here is a good reading to ur query.

http://www.rsasecurity.com/rsalabs/technotes/bernstein.html#*

Regards Data.

I'm the green hornet,hehe....

blitz
04-12-2002, 05:20 PM
(b) It's time to use 40*6-bit keys unless you're already using them. At least you can keep your e-mail secure.

Regards,
Otto

no comments .


DATA
Senior Member

Registered: Jun 200*
Location: ind
Posts: 2*0
HI BLACK SHEEP,

here is a good reading to ur query.

http://www.rsasecurity.com/rsalabs/...ernstein.html#*

Regards Data.


er, but what 'bout us, moderate human beings :) .

DATA
04-21-2002, 09:45 AM
HI,

HERE IS a post by adam

---------------------------------------------------------------------------------
I'd just like to make a few comments about the apparently unnoticed or
unstated conflicts of interest and bias in the analysis surrounding
Bernstein's proposal.

The following is not intended to trample on anyone's ego -- but I
think deserves saying.

- I'm not sure any of the respondents so far except Bernstein have
truly understood the math -- there are probably few who do, factoring
being such a narrow research area.

- Dan Bernstein stated that it is not easy to estimate the constants
involved to know whether the asymptotic result affects currently used
key sizes; he stated that the conclusion should be considered unknown
until experimental evidence is gained.

- Nicko van Someren -- the person ******ed with originally making the
exaggerated, or at least highly worst case interpretation at the FC02
panel -- has a conflict interest -- hardware accelerator gear that
ncipher sell will be more markedly needed if people switch to 2048 or
larger keys. Nicko has made no public comments in the resulting
discussion.

- Ian Goldberg also on the panel quickly distanced himself from van
Someren's claim, as Lucky's earlier mail could have been read to imply
Goldberg had also agreed with van Someren's claim.

- RSA's FAQ down playing the result seems relatively balanced though
they have an incentive to downplay the potential of Bernstein's
approach. They have a history of producing biased FAQs: for example
previously the ECC FAQ where they compared ECC unfavorably to RSA.
The FAQ was removed after they licensed tech from certicom and
included ECC in BSAFE.

- Bob Silverman, former RSA factoring expert, observes on sci.crypt,
quote:

> At this point, there is noone left at RSA Labs who has the expertise
> or knowledge to judge Bernstein's work.

- Bruce Schneier's somewhat downplaying comments, as far as I know
Bruce isn't an expert on factoring and he doesn't ****** anyone who is
in his report. Bruce's comments lately seem to have lost much of
their earlier objectivity -- many of his security newsletters lately
seem to contain healthy doses of adverts for counterpane's managed
security offering, and calls for lobbying and laws requiring companies
to use such products for insurance eligibility.

- Lucky on the other hand s***ested a practical security engineering
approach to start to plan for possibility of migrating to larger key
sizes. Already one SSH implementation added a configuration option to
select a minimum key size accepted by servers as a result. This seems
like a positive outcome. Generally the s***estion to move to 2048 bit
keys seems like a good idea to me. Somewhat like MD5 -> SHA*, MD5
isn't broken for most applications but it is potentially tainted by a
partial result. Similarly I would concur with Lucky that it's prudent
security engineering to use 2048 bit keys in new systems.
Historically for example PGP has had similar migrations from minimum
listed key sizes for casual use from 5*2 -> 768 -> *024 over the
years. The progression to 2048 is probably not a bad idea given
current entry level computer speeds and possibility of Bernstein's
approach yeilding an improvement in factoring.

The mocking tone of recent posts about Lucky's call seems quite
misplaced given the checkered bias and questionable authority of the
above conflicting claims we've seen quoted.

Adam
--

oops- I am modereate human too. :)
regards Data.