[145667] in cryptography@c2.net mail archive
RE: non 2048-bit keys
daemon@ATHENA.MIT.EDU (ian.farquhar@rsa.com)
Mon Aug 16 15:00:53 2010
Date: Sun, 15 Aug 2010 22:49:25 -0400
From: <ian.farquhar@rsa.com>
To: <sneves@dei.uc.pt>, <gnu@toad.com>
Cc: <tls@rek.tjls.com>, <cryptography@metzdowd.com>
Samuel Neves wrote:
> If an attacker creating a special-purpose machine to break your keys =
is
> a realistic scenario, why are you even considering keys of that size?
What's the threat model?
If the set of possible actors includes first world SIGINT agencies, then =
yes, it is a reasonable assumption that a special configuration of =
system has been created to factor keys. Think IBM or pre-acquisition =
SGI or pre-acquisition Sun as a supplier of such hardware, scaled up way =
beyond the configurations you'd get in the marketing literature (tens of =
thousands of cores, terabytes of physical RAM, low-range nine-figure =
price tags).
But as such an attack would likely cost millions of dollars per key, =
because the time to solution would be weeks or even months, then they'll =
only be using it as a last resort. As Peter correctly pointed out, =
there are so many other viable threat vectors which are available, =
especially human-in-the-loop ones, which would likely be exhausted =
before that solution was tried.
For non-government level attacks, I agree that such a scenario is =
unrealistic.
Ian.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
