Re: encrypting long strings

Jakob Bohm Tue, 13 Jul 2010 12:10:15 -0700

On 13-07-2010 15:00, Jeffrey Walton wrote:

Hi Jakob,

Are you sure about those numbers?

Yes. See SP800-57 [1].

I know SP800-57 says it, see below.

I know that proponents of ECC cryptography have been roundly
criticized for putting forward those specific numbers and for
talking NIST into repeating them in their official publications.

Many of the folks I work with want the FIPs conformance - especially
for the sales literature. There's no way I can side step it,
regardless of how RSA Data Security feels about it


For FIPS compliance there is no way around a lot of dubious rules, such
as not using algorithms not yet approved by NIST, not using assembler
optimizations (for the higher FIPS 140-2 levels) etc.

proponents of the RSA and DH algorithms said that the
number was wildly exaggerated and proposed some much
smaller values.

I'm not willing to go out on a limb a recommend a smaller moduli (what
is RSA recommending, BTW?). I look at it this way: When DSS was
proposed, RSA Data Securities lobbied hard to get an RSA Signature
included. They can't win them all....

Yes, that mostly dead company lost the political lobbying battle againstCerticom, but I was asking about science, not politics.


On Mon, Jul 12, 2010 at 10:16 AM, Jakob Bohm<jb-open...@wisemo.com>  wrote:

On 10-07-2010 20:13, Jeffrey Walton wrote:


The general approach is to encrypt data using a symmetric cipher (e.g.,
AES-256) with a randomly-generated key, and then encrypt that symmetric
key
with the RSA (public) key.


AES-256 requires a RSA modulus with an equivalent strength, which is a
15360 (IIRC). If you choose RSA-1024 or RSA-2048, you are off by
orders of magnitude.


Are you sure about those numbers?  I know that proponents of ECC
cryptography have been roundly criticized for putting forward those
specific numbers and for talking NIST into repeating them in their
official publications.

When the 15360 bit number was put forward as the RSA and DH key length
needed to match the strength of 256 bit ECC keys, proponents of the RSA
and DH algorithms said that the number was wildly exaggerated and
proposed some much smaller values.  I don't know if the general crypto
research community has since formed a consensus on what the real
numbers are.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: encrypting long strings

Reply via email to