IETF Logo Mail Archive

Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Nicholas Weaver <nweaver@icsi.berkeley.edu> Thu, 27 March 2014 15:05 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C191A075F for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 08:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukLjdEAK2_sm for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 08:05:36 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2B31A0753 for <dnsop@ietf.org>; Thu, 27 Mar 2014 08:05:36 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 035892C4030; Thu, 27 Mar 2014 08:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id U5r0Hf0bJag9; Thu, 27 Mar 2014 08:05:34 -0700 (PDT)
Received: from [10.0.1.22] (c-76-103-162-14.hsd1.ca.comcast.net [76.103.162.14]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0806F2C4028; Thu, 27 Mar 2014 08:05:33 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_555BD70A-9636-4F29-818D-0253D1D26829"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <D9C84C71-1C87-48B3-AFAD-9F9D4AD97649@hopcount.ca>
Date: Thu, 27 Mar 2014 08:05:31 -0700
Message-Id: <FD66BB69-7F6E-4479-B99A-F84F9B7465A7@icsi.berkeley.edu>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <D9C84C71-1C87-48B3-AFAD-9F9D4AD97649@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/TXqvj0Z26jyvmt367UdtN9z5x94
Cc: dnsop WG <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 15:05:39 -0000

On Mar 27, 2014, at 7:22 AM, Joe Abley <jabley@hopcount.ca> wrote:

> 
> On 27 Mar 2014, at 22:56, Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote:
> 
>> Bits are not precious:  Until a DNS reply hits the fragmentation limit of ~1500B, size-matters-not (tm, Yoda Inc).  
>> 
>> So why are both root and com and org and, well, just about everyone else using 1024b keys for the actual signing?
> 
> Those requirements (for the root zone keys) came from NTIA via NIST:
> 
> http://www.ntia.doc.gov/files/ntia/publications/dnssec_requirements_102909.pdf (9)(a)(i)
> 
> (well, NIST specified a minimum key size, but the implication at the time was that that was a safe minimum).

Obligatory Snarky Note: these being the same people who, after 2007, said that, although you can create your own constants, you MUST still use the specified magic constants for Dual_EC_DRBG if you wanted certification, even though it was shown that whoever generated the magic constants could have placed a backdoor in them...


But seriously: it was clear back a decade ago that 1024b RSA should be depricated in 2010:

(current)
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

(historical)
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

1024b RSA is really considered by NIST as only ~80 bits symmetric strength equivalent.

> Bear in mind, I guess, that these keys have a publication lifetime that is relatively short. The window in which a factoring attack has an opportunity to find a result that can be exploited as a compromise is fairly narrow.

Except that if I'm in a position to actually use an old-factored root key, I'm probably also in a position to F-up your NTP.  How many computers complain bloody murder if the NTP server says "oh, you're clock is wrong by 20 days (or 200 days), here you go"?  And even if they do, how many users understand what that would mean?


And "relatively short" is still two weeks.  That is well within range of a nation-state adversary willing to build a custom sieving machine.  Look at how much SHA256 power has been generated with a well under $50M aggregate spending: its 35 PHash/s!  

We do want DNSSEC to work in the face of a nation state adversary, no?  Do you want to bet that the NSA has not already built a 1024b RSA factoring machine?

Likewise, we do want the ability to do historical things, no?  E.g. DNSSEC signature at time T to attest to a fact, using the captured DNSSEC validation chain at the time?


Frankly speaking, since the root uses NSEC rather than NSEC3, IMO it should be 4096b for both the KSK and ZSK.  But I'd be happy with 2048b.  Using 1024b is a recipe to ensure that DNSSEC is not taken seriously.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

v2.23.0 | Report a Bug | By Email