1024-bit RSA keys in danger of compromise

Lucky Green shamrock at cypherpunks.to
Fri Mar 29 07:57:26 EST 2002


[OK, let me try this again, since we clearly got off on the wrong foot
here. My apologies for overreacting to Damien's post; I have been
receiving dozens of emails from the far corners of the Net over the last
few days that alternatively claimed that I was a stooge of the NSA
because everybody knows that 8k RSA keys can be factored in real-time or
that 512-bit RSA keys were untouchable since nobody could perform even
perform an exhaustive search of a 128-bit key space...]

Damien wrote:
> I am disputing that the improvements as presented are 
> practically relevant. Since you saw fit to cross-post to 
> openssh-unix-dev@, which is a list concerned with code (not 
> polemic), that is the context in which I chose to frame my reply.

My post reported on what was announced at an academic cryptographic
conference by a cryptographer that has written peer-reviewed papers on
the design of large-scale cryptographic processing machines in the past.
(I.e. how one would in practice build one of Rivest's MicroMint
machines). I believe my relaying these claims was responsible given the
potentially massive security implications to a good part of the
infrastructure. In addition, a reporter for the Financial Times was
present at the same event who announced his intent to write about it as
well.

Nowhere in the post did I make, or intent to make, claims of my own as
to the impact of Bernstein's paper on factoring. I did report on my
reaction to the claims which I witnessed and on which I therefore
reported. My reaction to those claims was to create larger keys. Other
may choose to react differently. Furthermore, I provided those concerned
with the new claims with what I believe are sound recommendations how to
counter the potential thread. Which was to increase the key size.

[On Nicko's rump session talk that they factored 512-bit keys on the
hardware in their office].
> You offer this aside in the context of an argument against 
> the insufficiency of 1024 bit RSA keys. Surely you don't 
> expect people to believe that you weren't including it to 
> bolster your argument?

To be perfectly honest, the thought that somebody on a mailing list
related to cryptographic software would consider my reporting on the
news that somebody factored 512-bit keys on the computers in their
office would believe I meant to imply this to have any bearing on a
potential ability to factor 1024-bit keys on purpose-built hardware
never even occurred to me.

I really, really meant coincidentally when I wrote coincidentally. The
two news came within a day of each other, so while reporting on one of
the news, I thought I'd make mention of the other news as well. That's
all.

Well, on second thought I suppose there actually is an, albeit removed,
connection between the two: many sites still use 512-bit keys; even if
one is unconcerned about 1024-bit keys being breakable, hopefully those
with 512-bit keys will take the fact that 512-bit keys can be broken by
some office hardware as a reason to upgrade key sizes.

[...]
> You post is hyperbole because it is very long on verbiage and 
> very short on justification. Large claims require a good 
> amount of proof: If you expect everyone to switch to 2048 bit 
> keys on the basis of your rant alone, you may be disappointed.

I don't really personally care what key sizes others use. For all I
care, others are welcome to employ 4-bit RSA keys, as long as they don't
use those keys to authenticate themselves to any of the machines under
my control.

Which brings me to an issue that I hope may be on-topic to this mailing
list: I would like to be able to enforce that the keys my users can use
to authenticate themselves to my sshd to be of a minimum size. Is there
a config option to sshd that will reject user keys below a minimum size?
I didn't see anything in the man pages or my first go through the code.

Thanks in advance,
--Lucky




More information about the openssh-unix-dev mailing list