[PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...)

[Bennett Todd <bet () RAHUL NET>]

2000-12-06-18:46:50 Dom De Vitto:
> Yea, generally speaking 1024 bits can be done by gov's & big
> corps, with (I'd speculate) a few week or so's 24x7 effort.  It's
> worth making the keys over 1200 bits, at which point brute forcing
> the 128 bit crypto is often easier/quicker.

Are you sure about your numbers there? I believe the story is
something more like:

- A 512-bit composite was factored recently, in one of these big
  efforts that brings hundreds or thousands of machines to bear on
  the sieving; that suggests that 512-bits is pretty near today's
  cutting edge;

- factoring gets about twice as hard for an additionl 10 bits of key
  length; and so

- a 1024-bit key is somewhere up in the quadrillions of times harder
  than the current state of the art

These points are weakened by a few factors with more or less
importance depending on details of application; basically, Moore's
law seems to be staying on track, and the factoring gurus have
done a pretty good job of continuing to ride it. Factoring also
sees periodic algorithmic improvements that cause it to run ahead
of Moore's law, though whether those will continue, slow, or
accellerate is anybody's guess.

If you want to encrypt a document whose cyphertext will exposed to
the public, and whose plaintext must remain secret for many, many
years, I'm pretty sure I've heard folks who'd know recommending
2048-bit RSA keys, on the grounds that they would seem, under
reasonable assumptions, to be of similar strength to 128-bit
symmetric cypher keys.

But as an illustration of the significance of the application
details, for login access control purposes --- e.g. ssh --- a
768-bit key may well be adequate today. It really depends on whether
you pass long-lived secrets through that encrypted tunnel.

-Bennett

Attachment: _bin
Description: