[145687] in cryptography@c2.net mail archive
Re: Has there been a change in US banking regulations recently?
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Aug 17 17:16:56 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <201008170119.o7H1JnvB011575@new.toad.com>
Date: Tue, 17 Aug 2010 17:08:12 -0400
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>,
Cryptography List <cryptography@metzdowd.com>
To: John Gilmore <gnu@toad.com>
On Aug 16, 2010, at 9:19 49PM, John Gilmore wrote:
>> who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks?
>=20
> "Enemy"? We don't have to be the enemy for someone to crack our
> security. We merely have to be in the way of something they want;
> or to be a convenient tool or foil in executing a strategy.
>=20
John, as you yourself have said, "cryptography is a matter of =
economics". Other than a few academics, people don't factor large =
numbers for fun; rather, they want the plaintext or the ability to forge =
signatures. Is factoring the best way to do that? Your own numbers =
suggest that it is not. You wrote "After they've built 50, which =
perhaps only take six months to crack a key, will YOUR key be one of the =
100 keys that they crack this year?" 100 keys, perhaps multiplied by 10 =
for the number of countries that will share the effort, means 1000 =
keys/year. How many *banks* have SSL keys? If you want to attack one =
of those banks, which is *cheaper*, getting time on a rare factoring =
machine, or finding some other way in, such as hacking an endpoint? For =
that matter, don't forget Morris' "three Bs: burglary, bribery, and =
blackmail". (Aside: I was once discussing TWIRL with someone who has =
ties to the classified community. When I quoted solution speeds of the =
we're discussing, he chortled, saying that the political fight over =
whose solutions were more valuable would paralyze things.)
If the threat is factoring, there are cheaper defenses than going to =
1024-bit keys. For example, every one under a given CA can issue =
themselves subcertificates. For communication keys, use D-H; it's a =
separate solution effort for each session. (Yes, it's cheaper if the =
modulus is held constant.) Cracking the signing key won't do any good, =
because of perfect forward secrecy.
You don't need long keys when they're used solely for short-lived =
authentication -- DNSSEC comes to mind.
Now -- all that said, I agree that 2048-bit keys are a safer choice. =
However, defenders have to consider economics, too, and depending on =
what they're protecting it may not be a smart choice.=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
