Re: [DNSOP] Current DNSOP thread and why 1024 bits

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 02 April 2014 16:17 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A4F1A0232 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 09:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOYDEVjKIDG5 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 09:17:31 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 001031A01E2 for <dnsop@ietf.org>; Wed, 2 Apr 2014 09:17:30 -0700 (PDT)
Received: from [10.20.30.90] (50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s32GHPR3080684 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsop@ietf.org>; Wed, 2 Apr 2014 09:17:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAAF6GDcGRyf_J+HJ2MP1Hso==iAS-a4prOpAZ7U-A8V1uiL=ew@mail.gmail.com>
Date: Wed, 2 Apr 2014 09:17:24 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <09152B82-E988-43F3-AF84-9514997D1116@vpnc.org>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <53345C77.8040603@uni-due.de> <B7893984-2FAD-472D-9A4E-766A5C212132@pch.net> <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com> <474B0834-C16B-4843-AA0A-FC2A2085FEFB@icsi.berkeley.edu> <CAMm+Lwh-G7D5Cjx4NWMOhTjBZd=VVRHiPdK7L1zm-P0QRP8P2Q@mail.gmail.com> <1904697C-49EF-4F77-A71A-3E0E4FC16575@cox.net> <CAAF6GDcGRyf_J+HJ2MP1Hso==iAS-a4prOpAZ7U-A8V1uiL=ew@mail.gmail.com>
To: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/YRz66oEYln8wNHv6V5b7SDaeSGI
Subject: Re: [DNSOP] Current DNSOP thread and why 1024 bits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:17:35 -0000

On Apr 2, 2014, at 8:26 AM, Colm MacCárthaigh <colm@allcosts.net> wrote:

> Cryptographic failures are often undemonstrated for decades. 

This is an important point, particularly when talking about RSA keys. It is important to note that RSA keys are *not* broken by brute force. There is some tricky math that is used to make the problem of finding the private key easier. That math was discovered long after the RSA algorithm was developed. That math kept getting much better for over a decade, but there have been no major public improvements in the math in about a decade. There easily could be non-public improvements that we don't know about; there are certainly a lot of papers that chip away at the problem, albeit slowly for keys >~768 bits.

For elliptic curve cryptography, there was a major improvement that came almost immediately (that's why P256 only has 128 bits of strength), and nothing since then at all. That's why cryptographers think of ECC as more "reliable": there is little expectation that the math will improve for attackers of ECC, and high expectation that it will improve for attackers of RSA and non-EC DSA.

--Paul Hoffman