Kyle Rose <kr...@krose.org> writes: >In that case, we should dispense with any larger key sizes and recommend >exactly one per algorithm, and vary only on algorithm. Adopting this would >simplify things even further by reducing the cipher set list by an order of >magnitude.
Yup. >Sadly, I'm guessing there are numerological requirements in various standards >and regulations that make it necessary to keep both AES-128 and AES-256 >around, for example. There are also a ton of existing 2048-bit RSA keys that >aren't going anywhere for a while. You could just say "anything over 1536 bits, 1536 or 2048 recommended", which would deal with both. >I'm also skeptical of statements like "Using any known technology it's >unlikely that humans can ever get beyond about 2^^100 operations", because >that's true exactly up until it isn't. Right, but if you're going to use that argument then AES is breakable until it isn't, you can't find SHA-256 collisions until you can, quantum crypto can be broken by whoever you're afraid of, and so on. One thing we've become pretty good at doing is taking current progress on breaking crypto and mapping out what'll happen in the future, to the point where there have been zero sudden breaks of properly-designed algorithms (DES, AES, IDEA, SHA, RSA, DH, and so on), ever. In every case we've been able to see, from a long way off, what's in store. And to see what's in store for PKCs, you can't use the computers used by mathematicians/numerologists, which all have infinite amounts of zero-cycle-time memory, but the ones that actually exist in the real world. For a 1024-bit RSA key that's around 40 terabytes of memory for the final step, and a 1280-bit key would require roughly a petabyte of RAM, all in a single machine or a single-machine equivalent (a standard distributed cluster won't work because of interconnect latency problems). So you'd need to dedicate the entire Tianhe-2 to breaking a single 1280-bit key (I don't know how its memory architecture will affect performance, I just chose the world's most powerful supercomputer because that happens to be barely enough to attack a 1280-bit key, so I'm not sure how many years of time you'd need). Or you could just backdoor the server, which is what'll actually happen to anyone who wants to get in. Heck, just the interest on the power bill for the Tianhe-2 (if you assume the computer itself comes for free) would be enough to bribe most of the maintenance staff to plug in a trojan USB key for a minute or two while they're cleaning. And if you really are concerned about China secretly building a second Tianhe-2 and using it to attack your mail server, just change your key once a year and you're OK. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
