1024-bit RSA keys in danger of compromise

Damien Miller djm at mindrot.org
Thu Mar 28 23:02:39 EST 2002


On Wed, 27 Mar 2002, Lucky Green wrote:

> > What incremental improvements? Bernstein is the first to 
> > point out that his improvement is asymptotic to key length. 
> > Can you offer evidence to the contrary?
> 
> Are you disputing that Bernstein's paper offered improvements to the
> state-of-the-art in NFS-based factoring or are you disputing that the
> improvements are incremental?

I am disputing that the improvements as presented are practically
relevant. Since you saw fit to cross-post to openssh-unix-dev@, which
is a list concerned with code (not polemic), that is the context in
which I chose to frame my reply.

> > > Coincidentally, the day before the panel, Nicko van Someren 
> > announced 
> > > at the FC02 rump session that his team had built software which can 
> > > factor 512-bit RSA keys in 6 weeks using only hardware they already 
> > > had in the office.
> > 
> > DES-56 can be cracked in less than a day, which does little to 
> > diminish 3DES' standing as a good, conservative cipher. 
> 
> You point being? All that the paragraph you are quoting stated was that
> I had been unaware that 512-bit RSA keys can be factored using the
> hardware found in an office, with the most "specialized box", btw, being
> an Itanium with 1GB of RAM. Not exactly special-purpose equipment that's
> hard to come by. If you were attempting to imply that the paragraph was
> meant as supporting evidence for the 1024-bit factoring issues mentioned
> later in my post, I would encourage you to look up the word
> "coincidentally" in a dictionary.

You offer this aside in the context of an argument against the
insufficiency of 1024 bit RSA keys. Surely you don't expect people to
believe that you weren't including it to bolster your argument?

> > > The panel, consisting of Ian Goldberg and Nicko van 
> > Someren, put forth 
> > > the following rough first estimates:
> > > 
> > > While the interconnections required by Bernstein's proposed 
> > > architecture add a non-trivial level of complexity, as 
> > Bruce Schneier 
> > > correctly pointed out in his latest CRYPTOGRAM newsletter, 
> > a 1024-bit 
> > > RSA factoring device can likely be built using only commercially 
> > > available technology for a price range of several hundred million 
> > > dollars to about 1 billion dollars.
> > 
> > Can you offer any analysis to back up this hyperbole?
> 
> Hyperbole. Hmm, we are moving on to big words now. Are you sure you are
> ready to use such words when you don't even know what coincidentally
> means?

Wow, you go from poorly-supported rant to ad-hominem in no time. No
doubt you will retort by labeling me as one of those "captive security
consultants" that you included in your little dissent-squashing
preemptive.

You post is hyperbole because it is very long on verbiage and very
short on justification. Large claims require a good amount of proof:
If you expect everyone to switch to 2048 bit keys on the basis of your
rant alone, you may be disappointed.

> My post made it clear to those versed in the English language that I was
> simply reporting on the analyses presented by a panel that I happened to
> moderate. Which, in case the reader is unfamiliar with what the word
> moderate means, equates to ensuring that the panelists all get chance to
> speak and don't stray too far off topic. The results reported are not
> the results of my research. I therefore will leave it to the researchers
> to post the details of the analysis once they are written up in the
> customary form. (Which is not to say that such details had not been
> provided, I simply don't believe it is my role or right to publish the
> details of others' research).

Please get back to us when such research is published. Until then,
I'll treat you argument with the credence that it deserves.

> > Furthermore, your paragraph could easily be misinterpreted to 
> > read that 
> > Schneier was stating that a 1024 bit RSA cracker is feasible. 
> > In fact, he states pretty much the opposite - that 
> > Bernstein's result has little effect on keysizes in regular use.
> 
> English language hint #3: note the two commas used in the sentence to
> which you are referring. Then find a book on elementary English grammar
> to determine what their purpose might have been.

The irony is amusing: you write a five line mess of ambiguity and then
accuse me of a lack of grammar skills.

> As a general note, you might find that future comments directed at me
> and others stand a good chance of leading to more fruitful discussion
> that in turn will be more pleasing to you if your inquiries were to take
> a less a hostile and accusatory tone.

As a general note, you find that people are willing to give much more
attention to your arguments when they are backed up with facts or
solid analysis (rather than carefully constructed rhetoric) and don't
come with 50kb of crap on the end.

-d






More information about the openssh-unix-dev mailing list