At 1:03 PM +0200 4/21/09, Shane Kerr wrote: >This section does not match up with the tiny bit of crypto research I've >done. The Wikipedia entry on key lengths references an RSA and a NIST >publication, both of which suggest 1024 bits not be used after 2010: > >http://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths > >So the "ten years" recommendation goes about 8 years beyond what >cryptographic experts suggest.
We should be making our recommendations on more than a tiny bit of crypto research. You can read the NIST recommendations directly, for example. They say pretty explicitly that they apply only to US federal use. They also do not suggest that 1024 in 2011 is actually expected to be broken. (Clearly, we should add a pointer to NIST SP 800-57 to this document, even though it seems unlikely that almost anyone will actually read it.) As I have said repeatedly, the best known attack as of today is against the equivalent of a 700-bit key. NIST's recommendations assume that it is very difficult to change a key as the attacks get better (as they surely will); that assumption is completely false for DNSSEC. >Perhaps one could suggest 1024-bits is enough for a ZSK that rolled >relatively frequently. However, looking at the RSA page, we see: > > Arjen Lenstra and Eric Verheul's methodical estimates [LV01] give > quite similar results for the security of 1024-bit RSA keys. In one > model, they project that in the year 2009, a machine costing about > $250 million could factor a 1024-bit RSA key in a day - so a $10 > million machine would take just under a month. > >This seems to imply that one would need to roll a ZSK every few weeks to > feel safe from cryptographic attacks if using 1024-bit keys. ...assuming that you feel that attacker would spend even a million dollars to break your key. This line of logic completely discounts common sense, however. Which is more valuable to an attacker: the ability to temporarily spoof DNS responses in your zone, or the ability to masquerade as any secure web site they want to? I'm not advocating that people use 1024 bit keys; that's up to them. If someone wants to use 2048-bit keys that take about four times as much effort to sign and verify, that's great. However, those people should make decisions based on facts about DNSSEC deployment, not extrapolations from estimates that are both speculative and based on key usage that is not applicable to DNSSEC. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
