Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

[Paul Wouters <paul@xelerance.com>]

On Thu, 23 Apr 2009, Paul Wouters wrote:

> So what's your take on 1024 ZSK keys? Are they good for 1 month? 6 months?
>
> I'm trying to come up with justified numbers, but everyone keeps claiming
> they're not a cryptographer :)
>
> But I'm having lunch with one today....we'll see

So interestingly, the cryptographer (Ian Goldberg) started out with saying
that you should not ask cryptographers either, but instead should ask
mathematicians and hardware designers.

He started of saying that there is a huge difference in using a key for
signing, and using a key for encrypting. The first only has to be unbreakable
for the limited time the signed message is still useful to someone else,
where as the encrypted message probably needs to be able to be unbreakable
for much longer, until the secret itself becomes unvaluable. So the
required resilience for signing keys is in the order of years, while for
encryption keys this will be meassured in the order of decades.

So when looking at things like the NIST recommendation for not using 1024
bit RSA keys anymore, you have to realise this difference. Once a signing
key is retired, is has no value left in it.

This also means that the safe period for a signing key is much easier to
adjust (up and down) then the safe period for an encryption key, since
you yourself can decide almost instantly when to retire a signing key.

Pages such as http://www.rsa.com/rsalabs/node.asp?id=2004 take this into
account somewhat, but still mostly compares RSA keysizes with encryption
cipher keysizes (eg with AES) and assume the data needs to be unbreakable
for decades instead of for years.

Ian Goldberg said he would be shocked if 1024 RSA keys would be breakable
within years. And that if space (in the dns packet) considerations were
an issue, 1024 should be fine. And importantly, because it is a signing
key with no need for future safe guards, easy to adjust once unexpected
mathematical (or technological) advanced are made. So we can be
conservative and take DNS packet size and validating resolver resources
into account.

So it seems to me that using 1024 bit RSA keys for ZSK, and 2048 bit
keys for KSK, assuming RFC 4641 rollover periods, are still many orders
of magnitude safe for our use within the DNSSEC realm. In fact, it
seems RFC4641, as written in 2006, is still extremely conservative in
its estimates two and a half years after its publication date.

Note that the same does not apply for DSA. As I understood it, DSA
requires the use of some randomness for each signature, and the errors
in the random number generator are cummulative when attempting to crack
this key.  In other words, the more data you sign, the more vulnerable
you become to the tiniest imperfection in your HWRNG.

Paul
(sorry if all of this was already discussed in 2006)