[ISN] 1024-bit encryption is 'compromised'

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 01:37:25 PST

  • Next message: InfoSec News: "Re: [ISN] FC: CBDTPA bans everything from two-line BASIC programs to PCs"

    By James Middleton 
    Upgrade to 2048-bit, says crypto expert
    According to a security debate sparked off by cryptography expert
    Lucky Green on Bugtraq yesterday, 1,024-bit RSA encryption should be
    "considered compromised".
    The Financial Cryptography conference earlier this month, which
    largely focused on a paper published by cryptographer Dan Bernstein
    last October detailing integer factoring methodologies, revealed
    "significant practical security implications impacting the
    overwhelming majority of deployed systems utilising RSA as the public
    key algorithm".
    Based on Bernstein's proposed architecture, a panel of experts
    estimated that a 1,024-bit RSA factoring device can be built using
    only commercially available technology for a price range of several
    hundred million to $1bn.
    These costs would be significantly lowered with the use of a chip fab.  
    As the panel pointed out: "It is a matter of public record that the
    National Security Agency [NSA] as well as the Chinese, Russian, French
    and many other intelligence agencies all operate their own fabs."
    And as for the prohibitively high price tag, Green warned that we
    should keep in mind that the National Reconnaissance Office regularly
    launches Signal Intelligence satellites costing close to $2bn each.
    "Would the NSA have built a device at less than half the cost of one
    of its satellites to be able to decipher the interception data
    obtained via many such satellites? The NSA would have to be derelict
    of duty to not have done so," he said.
    The machine proposed by Bernstein would be able to break a 1,024-bit
    key in seconds to minutes. But the security implications of the
    practical 'breakability' of such a key run far deeper.
    None of the commonly deployed systems, such as HTTPS, SSH, IPSec,
    S/MIME and PGP, use keys stronger than 1,024-bit, and you would be
    hard pushed to find vendors offering support for any more than this.
    What this means, according to Green, is that "an opponent capable of
    breaking all of the above will have access to virtually any corporate
    or private communications and services that are connected to the
    "The most sensible recommendation in response to these findings at
    this time is to upgrade your security infrastructure to utilise
    2,048-bit user keys at the next convenient opportunity," he advised.
    But a comment from well known cryptographer Bruce Schneier casts doubt
    on Bernstein's findings in practical application.
    "It will be years before anyone knows exactly whether, and how, this
    work will affect the actual factoring of practical numbers," he said.
    But Green, much to the clamour of "overreaction" from the Slashdot
    community, added: "In light of the above, I reluctantly revoked all my
    personal 1,024-bit PGP keys and the large web-of-trust that these keys
    have acquired over time. The keys should be considered compromised."
    Whatever the practical security implications, one sharp-witted
    Slashdot reader pointed out: "Security is about risk management. If
    you have something to protect that's worth $1bn for someone to steal,
    and the only protection you have on it is 1,024-bit crypto, you
    deserve to have it stolen."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 06:04:23 PST