Re: [Cfrg] 1024 bit RSA

John Mattsson <john.mattsson@ericsson.com> Sat, 05 November 2016 09:20 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DFC4129581 for <cfrg@ietfa.amsl.com>; Sat, 5 Nov 2016 02:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6yo8TYGZlvd for <cfrg@ietfa.amsl.com>; Sat, 5 Nov 2016 02:20:55 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33659129496 for <cfrg@irtf.org>; Sat, 5 Nov 2016 02:20:55 -0700 (PDT)
X-AuditID: c1b4fb3a-83dd4980000070a2-26-581da475e5e7
Received: from ESESSHC017.ericsson.se (Unknown_Domain [153.88.183.69]) by (Symantec Mail Security) with SMTP id 5D.33.28834.574AD185; Sat, 5 Nov 2016 10:20:53 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.87]) by ESESSHC017.ericsson.se ([153.88.183.69]) with mapi id 14.03.0319.002; Sat, 5 Nov 2016 10:20:52 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: Erik Andersen <era@x500.eu>, Cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] 1024 bit RSA
Thread-Index: AQHSNt7aNTqSoFCyQtexI2PQtTMFhKDJRPQAgABsQgCAAFe3gIAAFksA
Date: Sat, 5 Nov 2016 09:20:51 +0000
Message-ID: <D44363A3.54974%john.mattsson@ericsson.com>
References: <20161104210313.4C668406061@ip-64-139-1-69.sjc.megapath.net> <20161104212348.GA20439@LK-Perkele-V2.elisa-laajakaista.fi> <1478317865966.12431@cs.auckland.ac.nz> <000001d23743$b81c61d0$28552570$@x500.eu>
In-Reply-To: <000001d23743$b81c61d0$28552570$@x500.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.7.160722
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <66723ABB827CA14BB373EC9DCC7B50B3@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2K7q27pEtkIgy9P+Sy6fxxkspjU/ZnR gclj8sbDbB6HJ75jCmCK4rJJSc3JLEst0rdL4MpoP9/KXvBMo2L+lk+sDYwP1LsYOTkkBEwk zs//xN7FyMUhJLCOUeJzzy1mCGcRo0Rv4xtGkCo2AQOJuXsa2EBsEQFTiYXvfrOC2MICChKT Wg6xQ8QVJU6c7mGBsN0kfj34BRZnEVCRaD75DizOK2AuMWfqaagFdxglzq1bATSIg4NTwEzi 3gd+kBpGATGJ76fWMIHYzALiEreezGeCuFRAYsme88wQtqjEy8f/wG4QFdCTePb5OTtEXEmi cckTsJHMApoS63fpQ4yxluja+ZAFwlaUmNL9kB3iHEGJkzOfsExgFJuFZNsshO5ZSLpnIeme haR7ASPrKkbR4tTi4tx0IyO91KLM5OLi/Dy9vNSSTYzAqDq45bfVDsaDzx0PMQpwMCrx8BYs kokQYk0sK67MPcQowcGsJMLrMV82Qog3JbGyKrUoP76oNCe1+BCjNAeLkjiv2cr74UIC6Ykl qdmpqQWpRTBZJg5OqQbGkAfOKgVu9gnH7n2UKmhnm9Zf1PHsm/zxBedOJf2v6t3IkFH2f8/J 2N8GZ51kV6pPX7EpJ00qfdNmbXVTmUX6N+UU7n78eXpijIe8w1mdGV6LmhJ8NG2K85L4v17m ufnXu99L+2Tz8rPOjwW+hjbP1Tu3r8yyVNG/d9du7sjFqoLrref07OJXYinOSDTUYi4qTgQA lVuxfqYCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uQJmHdIgMkbAYi2S_ewtxk0K2iU>
Subject: Re: [Cfrg] 1024 bit RSA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2016 09:20:57 -0000

According to the formula in Section 6 of the ECRYPT report [1] on key
lengths, which I think is the state-of-the-art, RSA-1024 offers 73 bit of
security, not 80 bit.

NIST has quite reasonable recommendation [2], and they requirements where
to stop using RSA-1024 no later than 2009.

Section 4 of [3] contains a good analysis on the related problem of
breaking DH-1024. They show that breaking generic DH-1024 in under a year
is plausibly for SIGINTs on the order of hundreds of millions of dollars
(using publicly known cryptanalysis).

Even if RSA-1024 is not currently a super soft spot, it likely to quickly
become one.

[1] http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf

[2] https://www.keylength.com/en/4/


[3] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

Cheers,
John



On 05/11/16 10:05, "Cfrg on behalf of Erik Andersen"
<cfrg-bounces@irtf.org on behalf of era@x500.eu> wrote:

>All the comments have been quite useful. Let me express my concern.
>
>There is a cyber war out there and it is been use politically.
>
>When it comes to smart grid, it will be very depending on a complex IT
>infrastructure (primarily using SCADA protocols). Our electricity networks
>are very critical infrastructures. The Ukraine black-out is a warning
>about
>what we might expect. My country (Denmark) and our allies are not always
>acting as other great powers may want. The threat to bring down a critical
>infrastructure could affect the policy making. We should not leave too
>many
>soft spots in our defence wall. My question was actually. Is a 1024 RSA
>key
>such a soft spot? From what I hear, the answer might be yes.
>
>Erik
>
>-----Oprindelig meddelelse-----
>Fra: Cfrg [mailto:cfrg-bounces@irtf.org] På vegne af Peter Gutmann
>Sendt: 05 November 2016 04:51
>Til: Ilari Liusvaara <ilariliusvaara@welho.com>; Hal Murray
><hmurray@megapathdsl.net>
>Cc: Cfrg <cfrg@irtf.org>
>Emne: Re: [Cfrg] 1024 bit RSA
>
>Ilari Liusvaara <ilariliusvaara@welho.com> writes:
>
>>In summary, I would guess that factoring RSA 1024 keys would be within
>>reach of groups who could do ASIC design and then ordering custom chips
>>off
>fabs.
>>Of course, that's still many millions, so one would need the financial
>>case of spending that much money (it is going to be millions of dollars
>>at the very least).
>
>And that's the key point, would anyone bother?  There's always the
>hypothetical government-level attacker with magical access to infinite
>resources lurking in the shadows, but as Snowden has shown, they don't
>need
>to spend that much to get in, or build crypto-breakers to do it.  If I was
>an NSA program manager and someone came to me and said "we need $100M to
>build an ASIC-based RSA cracker, which we should have tested, debugged,
>and
>operational in two years", I'd reply "here's a full *one hundredth* of
>that
>amount, you've got a week to get in by backdooring or subverting or
>bribing
>or whatever"
>(with an optional side-order of "yer lazy bastard" in an Ernest Borgnine
>accent).
>
>Even if there was absolutely no other way in, I can't see how you could
>justify building something like that unless you were using it to attack
>something of extraordinarily high value like the single RSA-1024 key that
>the Kremlin uses to communicate with all its local offices.  DH group 2
>(group 1 in SSH terminology), sure (although an RSA-breaker can't do
>anything with those anyway), but some random RSA key somewhere?
>
>Peter.
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg