1024-bit RSA keys in danger of compromise

Fri Mar 29 11:11:53 EST 2002

On Thu, 28 Mar 2002, Lucky Green wrote:

> [OK, let me try this again, since we clearly got off on the wrong foot
> here. My apologies for overreacting to Damien's post; I have been
> receiving dozens of emails from the far corners of the Net over the last
> few days that alternatively claimed that I was a stooge of the NSA
> because everybody knows that 8k RSA keys can be factored in real-time or
> that 512-bit RSA keys were untouchable since nobody could perform even
> perform an exhaustive search of a 128-bit key space...]

Likewise, my apologies for being so irritable. You post arrived at the
end of a very bad week...

> Damien wrote:
> > I am disputing that the improvements as presented are 
> > practically relevant. Since you saw fit to cross-post to 
> > openssh-unix-dev@, which is a list concerned with code (not 
> > polemic), that is the context in which I chose to frame my reply.
> 
> My post reported on what was announced at an academic cryptographic
> conference by a cryptographer that has written peer-reviewed papers on
> the design of large-scale cryptographic processing machines in the past.
> (I.e. how one would in practice build one of Rivest's MicroMint
> machines). I believe my relaying these claims was responsible given the
> potentially massive security implications to a good part of the
> infrastructure. In addition, a reporter for the Financial Times was
> present at the same event who announced his intent to write about it as
> well.
>
> Nowhere in the post did I make, or intent to make, claims of my own as
> to the impact of Bernstein's paper on factoring. I did report on my
> reaction to the claims which I witnessed and on which I therefore
> reported. My reaction to those claims was to create larger keys. Other
> may choose to react differently. Furthermore, I provided those concerned
> with the new claims with what I believe are sound recommendations how to
> counter the potential thread. Which was to increase the key size.

Your arguments would have been better received if you referred to a 
published or forthcoming paper which included the supporting cost 
estimates. It is frustrating to hear news that XXX may be insecure 
without the necessary information to allow oneself to form an opinion.

We get this all the time - usually it is skript kiddies who have some 
supposed sshd exploit :)

> Which brings me to an issue that I hope may be on-topic to this mailing
> list: I would like to be able to enforce that the keys my users can use
> to authenticate themselves to my sshd to be of a minimum size. Is there
> a config option to sshd that will reject user keys below a minimum size?
> I didn't see anything in the man pages or my first go through the code.

As Kevin mentioned, the next release places a lower bound of 768 bits on
the size of RSA keys we will accept. We have a natural aversion to adding 
more config options (more options == more bugs), but I'm sure if evidence
came out that key sizes < x bits were insecure we would either up the 
limit, or make an option.

-d