1024-bit RSA keys In Danger Of Compromise? 368
antiher0 writes "According to an email from Lucky Green that came across bugtraq yesterday, 1024-bit encryption should no longer be considered pristine. Bernstein released a proposal that outlines the creation of a machine capable of breaking 1024-bit crypto on the order of minutes or even seconds for the measly cost of ~$1B USD. For a more thorough discussion, check out the original email."
Update: 03/26 03:16 GMT by T : And don't forget to revisit Bruce Schneier's analysis of Bernstein's claims, which cast doubt on the practicality of breaking such large keys anytime soon.
$1Billion (Score:2, Funny)
Is the company you work for hirring? God I wish I could call a billion dollars measly!!
Re:$1Billion (Score:2, Insightful)
Break out those one-time key pads and pigeons, boys, the government will own your electronic crytposouls before you know it.
Re:$1Billion (Score:2)
Don't forget, every bit added, doubles the strength.
4096 != 1024*4
My HP 48GX says:
2^1024=1.79769313486E308
2^4096=9.9999999
4096 is 2^3072 times stronger
; )
Re:$1Billion (Score:3, Informative)
The NFS factoring algorithm is subexponential - adding a bit doesn't even nearly double the strength.
Re:$1Billion (Score:5, Informative)
Assuming the email is correct (and having read it, it does't seem to be that incredible) That $1B investment gets you the infrastructure, systems and processes to routinely break 1024 bit keys (and therefore the contents of the encrypted payload) in a fairly short order.
Since many people believe that a 1024-bit key is essentially uncrackable today, tomorrow and next century, 1024-bit keys are still going to be popular.
If an organisation can amortise the cost over 3-4 years (which is the likely life of short (1024 or smaller) keys). That gives you quite a return on investment.
If that $1B allows you to break one key every 5 minutes, over a 4 year period, you can break ~420,000 keys - which works out to a cost of less than $2500 per key. If you can intelligently target who's keys you wish to compromise, the benefits could be significant.
Re:$1Billion (Score:3, Interesting)
Exactly.
For those of you who would like a breakdown of how a system like this would work, you may want to read Cracking DES by the Electronic Frontier Foundation [oreilly.com]. (Note, this book is out of print, but the EFF has made versions available online. [eff.org])
It discusses building a computer from scratch that can crack DES quite fast. This same principle can be applied to any brute-force technique. And if the cost is $1Billion now, it will be considerably less in a few years.
Re:$1Billion (Score:2, Funny)
$1Billion wasted (Score:2, Funny)
Yet despite all that money and zillions of man-years being blown on reading stuff in such a format, no one has managed to go out, and no one is willing to spend the money to try to crack
There are so many *smarter* things to blow money on than cryptography that it blows the mind. Cryptography is a fun mind game, but frankly when this much money is being spent on it it's just ridiculous.
You can bribe the people involved for less than $1 billion. Heck, buy up a private army and take over the building that has the information that you want.
Re:Maybe I'm missing something... (Score:2)
If you've been properly trained in US politics, the phrases "Won't someone please think of the children" and "National Security" should pop into your head immediately.
Why are we worrying about one billion dollars when having the capability to factor 1024-bit RSA keys could save children's lives?!
Re:Maybe I'm missing something... (Score:5, Insightful)
Second, if you'd read the e-mail on Security Focus, the estimated price range is several hundred million dollars to about 1 billion dollars, lower if they have access to a chip fab. It also mentions that the NSA and several other countries' intelligence agencies have their own fabs. So it's not as prohibitively expensive as it sounds. The e-mail's author goes as far as saying The NSA would have to be derelict of duty to not already have built such a decryption device.
Re:Maybe I'm missing something... (Score:2)
The Department of Defense gets $303B a year.
See the official budget of the United States Government for 2003. [gpo.gov]
Exactly WHAT is an agency of the US Gov going to crack
that will allow it to gain exactly WHAT money
to amortize it's $1B
that won't be missed?
IIRC, each Stealth bomber costs about a billion dollars. Given the tradeoff between buying a new Stealth fighter, and knowing where to put my current Stealth fighters before my opponent has got a chance to move his armies, I'd pick the latter.
I'm sure I've heard this somewhere before... (Score:3, Informative)
Re:I'm sure I've heard this somewhere before... (Score:3)
This is about professionals (Banking security) getting together and talking about the ramifications of DJB's idea.
It's not 100% new, but it's not 100% recycled either. Of note is the fact that $1B is not out of their league ($2B satellites are standard items), and that they would be irresponsible to NOT have done this already.
It's more data, take it or leave it as you will.
Re:I'm sure I've heard this somewhere before... (Score:2)
previously reported (Score:2, Informative)
Re:previously reported (Score:3, Interesting)
It seems to me that this story is hitting slashdot because, well, it hit slashdot.
The original was passed around a few small mailing lists, where it got some comment but nothing big. Then it hit slashdot a month ago, and the number of places I saw it popping up increased. I also saw a story about DJB cranking at some reporter for misunderstanding the exact nature of the information, which tells me that someone thought it was suddenly big enough to have a reporter look into.
And now, perhaps based on all this "publicity," Lucky Green or whoever is setting up discussion of it at some conference and revoking his old key. Note that he didn't do it a month ago, when the story was on all the crypto lists - presumably the more attention it got, the more real it became.
Maybe I'm off base here, but I think this is one of those examples of the media gestalt manipulating and being manipulated by the media consumers - the story had to get big before it could be taken seriously, and it had to be taken seriously before it could get big... and the slashdot story a month ago was probably one of the bigger steps along the way.
The slashdot effect... It isn't just for websites anymore!
If you read the letter ..... (Score:2, Informative)
It's funny, laugh. (IHNRTA) (Score:3, Funny)
I'm certain that qcrack will be poorly documented and require the addition of 5,000 users to whatever supercomputer it happens to operate properly on.
Then DJB will speak incessantly about how it differs from other encryption cracking techniques with its "modular design" (which is actually the application of many patches in order to obtain features found in most SMTP daemons, err cracking programs). Yeah.
(Disclaimer: I love qmail.)
Re:It's funny, laugh. (IHNRTA) (Score:2)
That's probably because you haven't tried postfix yet. I thought qmail was the bomb too until I discovered postfix and realized how bad the logging is in qmail.
Cheap. (Score:2)
It is way easier for you to move up a few orders of magnitude of encryption than for them to build a machine that can crack it.
However, this will mean a bigger supercomputer for all kinds of numbering tasks - basic research and math, physics, and astronomy will eventually benefit.
Break my crypto for $1B? (Score:5, Funny)
Re:Break my crypto for $1B? (Score:2, Informative)
Re:Break my crypto for $1B? (Score:3, Interesting)
$1
$100
$1000
$10000
$100000
$100000000
M
Not so fast.. (Score:5, Insightful)
Been all over SecurityFocus Already. (Score:2, Informative)
Anyway, we all know they've been reading our sekrit kees by telepathy for years now, right?
Would this be a solution? (Score:5, Insightful)
Give that a brute force attack is orders of magnitude more computationally intensive than the original encryption, would this allow you to stay ahead of the curve?
Also, although the papers seem to indicate that the proposed system could try multiple forms of attacks on the encrypted data, would modifying or customizing the encryption algorithm at each layer of encryption help? Computers are great at brute force attacks, but I highly doubt a system such as this proposed one can do much in the way of analysis or reverse engineering of the encryption algorithms used...at some point, you'd have to resort to good old (and slow) human deduction...
Re:Would this be a solution? (Score:2, Informative)
Re:Would this be a solution? (Score:2)
It is however interesting to note that due to the way such Fiestel ciphers work, a double DES is easier to break than a single. Why? I don't remember, I'm not a math major, and don't feel like getting out my Crypto notes from last semester.
Re:Would this be a solution? (Score:3, Interesting)
Re:Would obscurity be a solution? (Score:5, Informative)
Ah... the old security through obscurity notion. Someone else can carry the debate here but trying to get security by trying to hide what layers of algorithms you are using is defeating the point of security research. A "secure algorithm" is basically one such that it does not matter whether the hacker has access to the algorithm or not. Cracking a "secure algorithm" should be as hard as cracking by brute force. If your security relies on obscurity, then you are asking for trouble in general
As for layering in general. Well it works for the most part (e.g 3DES) although there are caveats (2DES would not be safe). But the real point is that layering is slow. Doing 1024-bit RSA encryption is slow. And try generating a 2048-bit key instead of a 1024-bit key. It takes ages (possibly minutes on some computers). You may be increasing security but decreasing performance.
Now going back to the first point about a "secure algorithm", you are better of say doubling your key size and exponentially increasing the keyspace on your existing algorithm then either inventing your own layering scheme that may or may not work AND will be slow nad memory wasteful by using many algorithms. The short answer is, you don't need layering, just make larger keys.
Re:Would obscurity be a solution? (Score:2)
Re:Would obscurity be a solution? (Score:2)
There are disadvantages, of course - you don't know that the two algorithms together are secure, and when considered as a whole, the chances are that they're not more secure. You're relying to a certain extent on the attacker sticking to the rules and considering the supciphers as subciphers, instead of just trying to cryptanalyse the whole mess. The other difficulty is that the more layers you add, the more key material you need - at a certain point, you begin to have trouble getting enough truly random data.
Re:Would obscurity be a solution? (Score:5, Funny)
Re:Would this be a solution? (Score:3, Insightful)
If you modify the encryption algorithm then you're probably introducing new holes into it or at the very least you have to distribure those modifications to whomever you want to decrypt it. In essance a type of one time pad. Either you have to create a new encryption algorithm for each message or group of messages that you send or choose one and stick with it. If you constantly change algorithms or modify you have to have some secure way of getting those modifications to whomever wants to decrypt it, which can be difficult. You could simply create or modify an algorithm and not tell anyone what it is except for the recipient but to do that you'd have to know alot about cryptography and hopefully know the benefits of peer review. The people that encrpt DVDs know the benefits of peer review, now, after they released DVDs using CSS. If your modified algorithm is broken you'd probably never know because who would tell you? The guys that are trying to read your encrypted data or the ones that don't want to read your email and don't have access to your modified algorithm?
The safest thing to do is either use a very long key or learn cryptography develop your own algorithm, get it peer reveiwed and then most likely use a very long key.
Re:Would this be a solution? (Score:2, Insightful)
Re:Would this be a solution? (Score:2)
I guess that just about sums it up.
Re:Would this be a solution? (Score:2)
Re:Would this be a solution? (Score:2)
The basic question is whether it's worth doing a two-or-three-algorithm solution as opposed to just making your keys longer. Depends a lot on your threat scenarios. Are you worried about the NSA cracking a key during your lifetime? Or are you running a bank and worried about bank robbers forging withdrawals? Or are you worrying about somebody forging your signature on an article on Slashdot? :-)
It turns out that it's easier to make signature systems use multiple algorithms than encryption systems - all you do is create a tuple of Sigalgo1(message,key1),Sigalgo2(message,key2)... as your signature (and use a representation that doesn't let the Bad Guy change how many bits of the signature string are interpreted as belonging to each algorithm) and there's none of this nesting business required that encryption systems use.
Computers, as proposed here *are* being used in conjunction with deep analysis - that's why the amount of computation required may have just dropped significantly. Reverse engineering doesn't really apply in this world, unless you're reverse engineering God's excellent job of making factoring difficult large numbers and interesting. :-) If you're doing some obscurity-based approach that requires reverse engineering, you've blown your chance at modern crypto work... Most of the public-key systems work by applying known hard algorithms in ways that let the work required to crack them be computationally infeasible, and it's understood that that's a shifting boundary - usually the crackers blow a dozen or so bits off the strength limits per year (some with faster computers, some with mathematical analysis), but the encryptors can add several hundred bits per year to the practical strength - doubling the number of key bits roughly quadruples the computation required, but you could do 512 bits conveniently enough on an 8086, so 2048 is no problem today, unless you've got packet size limitations which make that annoying, or unless you've got antique code that nobody wants to update for longer keys (particularly if the code is a silicon implementation of a bignum mulitplier), or unless you're running a web site that has to process a large number of connections per second, in which case this costs you actual money.
what would you do if you had a million dollars? (Score:2, Interesting)
would it be worth going for the brute force attack or would it be worth finding a different solution? not to mention how much money you could win and how much cancer you could cure with the idle time.
Re:what would you do if you had a million dollars? (Score:2)
When it comes to terrorism, encryption really isn't the main problem. Identifying, isolating and eliminating causes (be they philosophies -- such as a desire for complete theocratic control -- or individual people) is.
Pay attention. Security = risk management. (Score:5, Insightful)
Don't any of you bozos pay attention to prior articles? Security is about risk management. If you have something to protect that is worth $1bn for someone to steal and the only protection you have on it is 1024-bit crypto, you deserve to have it stolen.
Your homework for today is to (re)read Secrets and Lies. There will be a quiz.
Re:Pay attention. Security = risk management. (Score:2)
It doesn't cost the bad guys a billion dollars to steal your secret. It costs them a billion dollars to steal the secrets of everyone who uses the type of key the machine can crack. Your share might only be worth $10000 and it could conceivably still be worth their effort to buy/build the machine. Then you lose.
Your argument only makes sense if they have to dedicate their billion dollars to just cracking one key.
Re:Pay attention. Security = risk management. (Score:2)
$2e11 to 1e12 / 3 years / 365 days / 24 hrs
This means that all of your assets between 124,000 (if machine costs 200 million) and 634,000(for 1 billion) and above are all worthwhile "investments" of this machine's time.
Thank god I'm poor
Re:Pay attention. Security = risk management. (Score:2)
What do you see in the post that is inconsistent with this view? It claims that the cost of breaking 1024 bit keys is lower than previously believed. This means that risks must be reassessed.
If you have something to protect that is worth $1bn for someone to steal and the only protection you have on it is 1024-bit crypto, you deserve to have it stolen.
Guarding a $1B asset with a 1024 bit key would be foolish, with or without this finding. (For starters, the enemy doesn't necessarily have to build a cracker, they just have to rent time on one.) But who says we were talking about a $1B asset? Trivially, there exists some scenario in which 1024 bits was a good risk prior to this finding, but is no longer. So this finding is entirely relevant to a risk management approach.
Re:Pay attention. Security = risk management. (Score:2)
And there's the occasional corporate secrets to bust into once in a while. Ahhh.
Did I mention Pac Man?
The US government has something like this (Score:4, Informative)
Either that, or the American government suddenly have benevolent feelings to the rest of mankind and a minority of their software community. Yeah right.
Re:The US government has something like this (Score:2)
The NSA has the advantage of occasionally being able to spend a billion dollars on chips or machine design, which says that building something like the EFF's DES $250K cracker was done at NSA long before the public got there (though "long before" has Moore's Law implications...). They also have some good mathematicians focusing on problems like this, not only because they like to crack other governments' codes but also because they need serious estimates of the strengths of the codes they use, but the general opinion in the crypto community is that they're no longer particularly far ahead of the open academic world, and in some ways they're behind because it's hard to get good peer review on secret algorithms, and it's hard to get and keep good mathematicians if you don't let them publish and don't pay them much money either. I don't believe they had the ability to crack 1024-bit RSA or Diffie-Hellman keys before Bernstein's paper came out - but they *do* have Bernstein's paper now :-)
Re:The US government has something like this (Score:2)
Clearing up the deceptive intro (Score:5, Informative)
That intro is deceptive at best and is, well incorrect. Remember DES and other symmetric ciphers that currently use about 128-bit or so encryption are unaffected by this. Certainly, 1024-bit symmetric encryption (your typical secret password encryption) is going to be unbreakable for centuries based on current predictions. The intro should read asymmetric or public key encryption at 1024-bits
Secondly, the advances being talked about are in factoring large numbers into their prime factors using the Number Field Sieve (NFS). This algorithm is the most advanced known factoring algorithm and if you believe the article improvements show that factoring 1024-bit length primes is doable for 1 billion dollars or so. (It was only a few years ago this kind of cost was attached to building a DES cracking machine... today I could probably crack DES on my uni computers given the software. 1024-bit factoring is only a matter of time before it is easy). However, not all public key schemes rely on the difficulty of prime factoring. Elliptic curves rely on a different hard problem
Conclusion, the intro should read "1024-bit asymmetric encryption that relies on the difficulty of prime factoring (e.g RSA) should no longer be considered pristine"
Re:Clearing up the deceptive intro (Score:2)
The title is part of the article, and makes the necessary limitations. If you are going to nitpick, then at least nitpick correctly.
Re:Clearing up the deceptive intro (Score:5, Funny)
Oops, Mr. Smarty Pants! I can factor 1024-bit primes for $0!
Re:But can you prove that they are prime? (Score:3, Funny)
Re:But can you prove that they are prime? (Score:2)
All large provable primes are constructed in special forms in order to allow use of one of several fast proving algorithms.
Re:Clearing up the deceptive intro (Score:2)
Each extra bit doubles the time for a brute force attack so going from current 56bit keys, that's a lot of time.
The other useful analogy (cos noone really gets big numbers into their head) is that at 256 bits, there are more key possibilities than electrons in the universe!
Safe
Arbitrary costing = $1B (Score:5, Funny)
<TELEPHONE CORRESPONDANCE>
SHADY GOVERNMENT OPERATIVE: So how much will this 1024 decryption system cost?
PIMPLY TEEN HACKER: $1B US dollars to be deposited into my secure off-shore bank account and safe passage to the Maldives.
SHADY GOVERNMENT OPERATIVE: Excellent. The money is being transferred as we speak. Begin work.
</TELEPHONE CORRESPONDANCE>
<PIMPLY TEEN HACKER INTERNAL MONOLOGUE>
Sweet! I've just charged the US government 1 billion dollars for a beowulf cluster of dreamcasts running home-brew linux.
</PIMPLY TEEN HACKER INTERNAL MONOLOGUE>
<SHADY GOVERNMENT OPERATIVE INTERNAL MONOLOGUE>
Sweet! We will retrieve the 1 billion dollars once we crack the secure off-shore bank account's 1024 bit encryption system
</SHADY GOVERNMENT OPERATIVE INTERNAL MONOLOGUE>
:)
Laugh it's funny :-) (Score:2)
Okay, I've been hiding my idea, but who cares. I'm releasing it now and officialy proposing the creation of a machine capable of breaking 2048-bit crypto on the order of hours or even minutes for the measly cost of ~10B USD.
I'm currently soliciting offers from several major tech companies to fund this joint venture to be used only in the private sector.
Please call now.
Re:Laugh it's funny :-) (Score:2)
Read the Paper! (Score:5, Informative)
The reason is that the speed up is asymptotic with a suspected slow convergence.
But I agree that for security critical application 1024 bits is too short, even if only because there is not enough safety margin.
Find the paper by D.J. Bernstein here. [cr.yp.to]
Does It Scale Down? (Score:2)
I have plenty of minutes, but I don't have 1.0e9 $. I want to build a machine for $10,000 that can crack 1024 in 100,000 minutes (about 70 days). Then I could be the first to grab the RSA prize and if I wasn't first at least I'd have a really fast box.
Maybe I'm not clear on this but... (Score:3, Insightful)
Guess what else is in danger of compromise?? (Score:2)
Hey, I've got a much worse problem to report: Most people don't use encryption!!! Right now, we're all browsing slashdot, our credentials sent in plaintext, our sessions open for anybody to see! Almost everybody sends unencrypted e-mail!
Rather than freak out about the NSA being able to crack 1024-bit keys, maybe we should be doing more to actually get encryption used by people?
Only a billion dollars? (Score:2)
Only a billion dollars of the taxpayer's money to read other people's mail? The U.S. government will take 10.
Haha fools!!! (Score:4, Funny)
OK... Could Somebody Clue Me In? (Score:2)
According to an email from Lucky Green
That key of his seems awfully long. Sure enough, when I pasted it into a text file it was 46 kilobytes!!!
There must be something else in there besides the 2048-bit key, but what? Is the first part the public key, and the rest the encrypted message?
So, Just try and get people to use Encryption. (Score:2)
As a member of several mailing list most people do not even have gpg signatures, those that do never upload their public keys.
Breaking 1024 bit encrytpion isnt that big of a deal for most people.
I guess they like running naked through public parks.
Threat Assesment (Score:2)
Real Issue with encryption (Score:2, Interesting)
Think about how long the US government will take to adopt AES.... Same encryption are going to get weaker and weaker as times goes by, we have to adapt to the rate it fades out. But apparently, encryption standards takes time to develop and get accepted. We are very likely going to change standards every 5-10 years. Government agencies, are you coming along?
2048 bit (Score:3, Informative)
Each bit that you add roughly doubles the amount of time it takes to crack. 2048-bit encryption, although slow, is possible.
What this means is that, assuming that a 1024-bit key can be factored in 1 second, it would take roughly
57004475357125694689539104223396268823502567825
5466151385601004275993538836
5721983584043465919703756942
8489528438551201241199355703
7710357939232321268887397337
years to crack 2048 bit encryption. I'm not all that worried.
Re:2048 bit (Score:3, Insightful)
The problem has to be tackled at a more fundamental level - maybe by finding an inherent weakness in the algorithm, which can be used to decrypt the message without having to go through all possible key values.
For example, if a few (plain text, encrypted text) pairs are known, we can search for a pattern, apply the pattern in reverse to an encrypted message, and get back the original plain text message.
Re:2048 bit (Score:2, Informative)
The best general-purpose factoring algorithm today is the Number Field Sieve (NFS) [BLP94] [BLZ94], which runs in time approximately O(e1.9(lnn)1/3(lnlnn)2/3). Previously, the most widely used general-purpose algorithm was the Multiple Polynomial Quadratic Sieve (MPQS) [Sil87], which has running time O(e(lnn)1/2(lnlnn)1/2).
Most of us are safe (Score:2)
Re:Most of us are safe (Score:2)
Nah they cant risk that, for the children and for national security they will read everyones, they probably allready are.
a slightly-less-Amerocentric thought... (Score:3, Insightful)
ObDisclaimer: this isn't some pinko commie "FUCK YOU AMERIKKKA!" post... it's just an observation that I haven't yet seen made by another poster in the thread. I see a lot of people talking about the NSA, and breaking into banks, etc etc... but middle-class white male citizens of post-industrial western economies aren't the only people who have good reasons to use crypto, you know?
Shit (Score:2)
Sort of off topic, but honestly, the investment (for the machine) isn't worth it unless you plan on doing this a lot of times, and if somebody was going to do this on a case by case basis, it would be cheaper to hire one of Pol-pot's henchmen to do the job.
Ian Goldberg isn't worried (Score:4, Informative)
However, in a follow-up post [inet-one.com] to the cypherpunks mailing list, Ian said that he did not agree with the calculations.
In fact he says that the physical properties of the factoring machine seem "implausible", and that there is no reason to believe that the result applies to "real" key lengths like 1024 bit keys.
Just think about what they've been doing for years (Score:2, Informative)
The NSA has the budget to hire the best and brightest mathematicians money can buy. Whose to say that the NSA hasn't know about this for years? Sure, Bernstein could have simply "rediscovered" what the NSA has known for years.
There have long been rumrors of a $2-3B machine that the NSA has for breaking encryption. Taking time into account, that translates to that $1B machine now.
The NSA has likely been able to break these keys for years.
Re:Just think about what they've been doing for ye (Score:2)
Just a thought.
TWW
1024-bit RSA is in no danger. Not yet, anyway. (Score:5, Insightful)
Even Bernstein's original paper is clear to point out that while his mathematical results are correct, and that his proposal does allow RSA keys of size n bits to be factored in the time we currently think it takes to crack keys of size n/~3.009, he proved this to be true *only in the asymptotic case*!!
This means that for very, very large n Bernstein's results are known to hold. His paper is actually a grant proposal requesting funding so that he can spend the next few years finding out if it's possible to apply the same techniques to practical-sized keys. As I understand it, what Bernstein wants to study will still be purely theoretical. He wants to calculate what the savings factor is for smaller keys. The reduction factor for smaller keys may be as large as 3, or it may be smaller but still worthwhile, or it may be negligible.
Even after Bernstein has done his calculations for smaller keys (which will take years) the results will still be purely theoretical, and there will likely remain a great number of practical challenges in building the rather unique kind of hardware Bernstein is proposing. It's possible that even if the theory holds for smaller keys, building a real machine may still be impractical.
For more detailed discussion than you're likely to be able to digest, go read sci.crypt.
From what I've read, I would say that if you have secrets you need to keep for more than 5 years, you might consider using a 2048-bit RSA key, or switching from RSA to ECC.
Goof off (Score:2)
Misleading article (Score:4, Informative)
When the paper first came to prominence, yes, it looked worrying.
However... the speedup factor appears only to apply to LARGE numbers, not necessarily to smaller ones. Exactly how much advantage one gets for smaller ones is unclear.
Note that this paper is a "research proposal", not a finished item of research. It's a very interesting read, nevertheless
However, if you're worried then you should be using 2048-bit original-style RSA PGP keys anyway (or 3072 or even 4096 bit new-style RSA keys). You might want to avoid the DH/DSS keys since the signature part cannot exceed 1024 bit....
This is a DoS attack (Score:2)
Slashdot already ran this story! (Score:2)
Re:a billion here, a billion there (Score:2)
Nope (Score:2, Interesting)
2^2048 is 2^1024 times more than 2^1024 (that is, it's 2^1024 squared). Meaning that to crack 2^2048 - in theory - it would take roughly 1.797e308 times as long to crack.
More numbers: If this $1B computer could crack a 1024-bit key in one second (consistently), it would take 5.7e300 years to crack a 2048-bit. That's much longer than the life of the universe.
All this stuff is theoretical, of course. That's why you don't try to break the encryption, but rather look for holes in the software, or post-it notes on the monitor
-Xyphoid
Re:Nope (Score:2)
Re:Nope (Score:4, Insightful)
Bzzt! Wrong
That would be the case if the fastest attack was brute force, in fact there are much better attacks. 1024 bit RSA is generally considered to be equivalent in strength to an 80 bit symmetric cipher. 2048 bit RSA is only equivalent to about 132 bits.
Even so, the issue has been known for some time and that is why the crypto world is in the middle of a transition to 2048 bit keys. Only it will take arround 5 years to complete the move. VeriSign has been distributing 2048 bit root keys for some time.
Re:a billion here, a billion there (Score:2)
Wow! So if I only need to crack 128-bit keys I only need to spend something like $1.93831e-258! I can't wait to get started.
Re:But what's a measily $1B for a government agenc (Score:2, Funny)
Re:But what's a measily $1B for a government agenc (Score:2)
Re:But what's a measily $1B for a government agenc (Score:2)
Re:RC5-64 challenge (Score:2, Informative)
Re:so.... (Score:2)
Also, I think that putting a price tag on breaking 1024 bit encryption definitely qualifies as news for nerds. Who else would want to know?
Re:so.... (Score:2)
Re:so.... (Score:2)
How will you know when someone builds this machine and starts actually cracking the encryption? Do you really think 'they' will advertise the fact that they can factor keys in minutes? I find it more likely that 'they' will just quietly read the encrypted messages they want to read - from their point of view the longer people stick with key lengths they can crack, the better.
The general point is - the safest thing to assume is that once something is theoretically breakable in a practical timeframe, it is broken. Assuming that we will find out when a practical implementation is available seems a little naive.
Dan.
Re:Measly? (Score:2)
For instance, if a major government or other well-funded entity not averse to a little corporate espionage managed to intercept and decode information regarding, say, bids on major contracts, it could pay for itself very rapidly.
Huh??? (Score:2)
Send the message to the recipient in plain HTTP?
Get the recipient to walk all the way to your hosting site?
Your self host solution doesn't solve that problem. Or is incomplete at best.
Re:Price depreciation (Score:2)
What Schneider has overlooked that the machine in question is not a general purpose parallel machine. It is a specialised simple numerical unit matrix with flat memory architecture. Such beasts with up to 2^16 CPUs have already been designed and have been used for more then 10 years in processing of satellite data. All that is needed here is to up the numerical capabilities of the singele unit, up the number and up the memory interface bandwidth. It is something that can realistically be done in 3-5 years.
Still, it will remain a relatively specialised beast. The specialised 2^16 parallel hardware used for sat image processing has not depreciated over the last 10 years. Neither will this hardware because it will not become a commodity.
What is more worrying is that bernstein's model is close to the hardware model of the latest cray proposal (large number of CPUs on flat memory). And this is a commodity machine that money can buy now to be delivered tomorrow. It will not give you as much as the 1B price tag specialised hardware but it is sure worth a try.
Re:Price depreciation (Score:2)
Quantum Computers aren't real yet (Score:3, Informative)
It'll really be interesting when they start to get to ~64-bits of resolution (at least if they don't run into Heisenberg uncertainty problems when the resolution approaches Planck's constant.) Will the resolution of this technology scale that far? But things don't get interesting for public-key crypto until you're at ~512 bits.
Also, there are some problems that quantum computers can accelerate and some that it can't. For instance, factoring is tractable, if you've got enough resolution, and there's a quantum computer that was able to factor the number 15 into 5 and 3. So RSA and Diffie-Hellman are toast, at least for 4-bit keys :-) Perhaps for much longer keys, if QC can be developed, but perhaps not. It's not clear whether elliptic curves can be cracked by quantum computers, but then, it's not clear that they can't be cracked by better mathematics.
Basically, if They can crack everything using public-key technology, you're back to private-key methodology like Kerberos, or traditional methods like one-time pads and guys with Kevlar briefcases handcuffed to their wrists.
Re:Then use another Public-Key Algo! (Score:3, Informative)