Re: [PEN-TEST] Strength of RSA keys -vs- length (was Re: Places to find crypto ...)

[Dom De Vitto <dom () DEVITTO COM>]

My assumptions are based on the kind of kit that the US are buying publically,
like the atomic explosion sim in the papers a year or so ago.
(my dodgy memory recalls numbers like 50,000 Pentiums in parallel)

And if that's what researchers are playing with, think what the military
could find funding for....anyway, I'd prefer to over estimate capability,
but that's just me.

As for the 128bits ~= 1200 or 2048 bits, I thought I read it in the PGP docs
a long time ago - does anyone else concur or have better evidence than my
ramblings of old memories..?

But I thought that the point was that as a conventional key algo is used
for the data, there is no point having a public key much greater in 
strength than that. 
- if you're locking things up for a million years, or ten minutes, the
cryptanalysis will still be against the weaker process.

Dom
 | -----Original Message-----
 | From: Bennett Todd [mailto:bet () rahul net]
 | Sent: 07 December 2000 16:02
 | To: Dom De Vitto
 | Cc: PEN-TEST () securityfocus com
 | Subject: Strength of RSA keys -vs- length (was Re: Places to find crypto
 | ...)
 | 
 | 
 | 2000-12-06-18:46:50 Dom De Vitto:
 | > Yea, generally speaking 1024 bits can be done by gov's & big
 | > corps, with (I'd speculate) a few week or so's 24x7 effort.  It's
 | > worth making the keys over 1200 bits, at which point brute forcing
 | > the 128 bit crypto is often easier/quicker.
 | 
 | Are you sure about your numbers there? I believe the story is
 | something more like:
 | 
 | - A 512-bit composite was factored recently, in one of these big
 |   efforts that brings hundreds or thousands of machines to bear on
 |   the sieving; that suggests that 512-bits is pretty near today's
 |   cutting edge;
 | 
 | - factoring gets about twice as hard for an additionl 10 bits of key
 |   length; and so
 | 
 | - a 1024-bit key is somewhere up in the quadrillions of times harder
 |   than the current state of the art
 | 
 | These points are weakened by a few factors with more or less
 | importance depending on details of application; basically, Moore's
 | law seems to be staying on track, and the factoring gurus have
 | done a pretty good job of continuing to ride it. Factoring also
 | sees periodic algorithmic improvements that cause it to run ahead
 | of Moore's law, though whether those will continue, slow, or
 | accellerate is anybody's guess.
 | 
 | If you want to encrypt a document whose cyphertext will exposed to
 | the public, and whose plaintext must remain secret for many, many
 | years, I'm pretty sure I've heard folks who'd know recommending
 | 2048-bit RSA keys, on the grounds that they would seem, under
 | reasonable assumptions, to be of similar strength to 128-bit
 | symmetric cypher keys.
 | 
 | But as an illustration of the significance of the application
 | details, for login access control purposes --- e.g. ssh --- a
 | 768-bit key may well be adequate today. It really depends on whether
 | you pass long-lived secrets through that encrypted tunnel.
 | 
 | -Bennett
 |