Nelson Bolyard wrote:
It's an opinion that's held generally. In the article below, the debate centers around whether or not 1024 is a safe for CA's.In case it wasn't obvious, I need to state that *it is my opinion* that 512 bits is not a reasonable length for an RSA public key to be used by a CA in 2007.
Last year I did some research on why 1024-bit is considered weak (512 as weak has been accepted for a long time). I posted my result to a new list, which isn't publically accessible, so I'll repeat the data here:I base that opinion on NIST's statement to the effect that even 1024-bit RSA public keys will not be strong enough beginning in the year 2010.
----------------------------------------------------------------------A good paper is Arjen Lenstra and Eric Verhelul's "Selecting Cryptographic Key Sizes" http://www.win.tue.nl/~klenstra/key.pdf (published 2001).
Page 32 has a table where the suitability of 1024 bit RSA for
commercial use is questionable after 2002. The paper itself, though,
describes a methodology which is tweakable. The true strength of
this paper is that Lenstra and Verhelul explicitly document their
assumptions, and parameterize those assumptions so that you can
apply different assumpts to the list. The main one being "suitable
for commercial" is the equivalent strength of DES 56 in 1982 or
stronger. For many applications DES 56 was considered acceptable
well past that time, and Arjen and Eric document easy correction
factors on page 33. If you assume DES 56 was safe until 1995 when it
was publically cracked, then 1024 bit RSA is good until 2009. So we
are clearly in the gray period with respect to this paper.
Adi Shamir (the "S" in RSA) is one of the strongest advocates of the
"1024 bit is already risky camp". He and Eran Tromer have a website at
http://www.wisdom.weizmann.ac.il/~tromer/twirl/. The main paragraph is:
" TWIRL (The Weizmann Institute Relation Locator) is an electronic device for factoring of large integers. It implements the sieving step of the Number Field Sieve integer factorization algorithm, which is in practice the most expensive step in factorization. TWIRL is more efficient than previous designs by several orders of magnitude, due to high algorithmic parallelization combined with adaptation to technological hardware constraints. Although fairly detailed, the design remains hypothetical since the device has not been actually built. However, projected cost estimates suggest that if TWIRL is built using current VLSI technology, it will be possible to factor 1024-bit integers, and hence to break 1024-bit RSA keys, in 1 year at the cost of a few dozen million US dollars (or significantly less, if several integers are to be factored simultaneously)."On the other side Burt Kaliski, RSA Laboratories defends the viability of 1024 through 2009 (that is until 2010): http://www.rsasecurity.com/rsalabs/node.asp?id=2004 His article contains a good summary of the research in key size recommendations including the above papers. Notice he goes with the NIST recommendations for user and enterprise keys, but goes with the stronger 2048 for root certificates. Burt states that 2048 has been the recommendation for root certs since 1995. He also says those recommendations where generally followed, I guess for some broad definition of "generally" since all but one 1024 bit cert currently in the mozilla root list was issued since 1995, and 1024 bit certs make up just less than half the certs in the list:
1 certs with key Size of 1000 45 certs with key Size of 1024 46 certs with key Size of 2048 2 certs with key Size of 4096 I think the broad take away is: 1) End user certificates which expire before 2010 should be fine. 2) New roots and intermediates should be 2048.I don't see a way around the legacy 1024 bit certs, but I would definately want to see wording that will discourage the issuance of new root certs that are less than 2048.
One last thing, while researching the certs in the database, I ran across a number of certs with are using an public exponent of 3. All the strength estimates are based on 'large' exponents (65537). We should also include an exponent size in our requirements. (exponent of 3 is generally considered weak in rsa, not matter what the modulus size is).
------------------------------------------------------------------------------------------------I should point out that at the time I posted about exponent of 3, Burt Kaliski pointed out that while large exponents are generally safer, that for signatures there were no known attacks against exponents of 3. This comment predated the Blechenbaucher II signature attack.
bob
See http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
