[46324] in North American Network Operators' Group
Re: 1024-bit RSA keys in danger of compromise (fwd)
daemon@ATHENA.MIT.EDU (Travis Pugh)
Mon Mar 25 19:13:30 2002
Message-ID: <00c701c1d45a$fc98c4e0$6400a8c0@jkfld.clm>
From: "Travis Pugh" <tdp@discombobulated.net>
To: "Len Sassaman" <rabbi@quickie.net>, <nanog@merit.edu>
Date: Mon, 25 Mar 2002 19:12:58 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Len Sassaman <rabbi@quickie.net> writes:
> Prior to Bernstein's discovery the row-reduction step in
factorization
> could be made massively parallelizable, we believed that 1024 bit
keys
> would remain unfactorable essentially forever. Now, 1024 bit RSA
keys look
> to be factorable either presently, or in the very near future once
Moore's
> law is taken into account. However, at a price tag of $2 billion for
a
> specialized machine, we have a few years before anyone outside of
the
> intelligence community attempts this.
>
> What is most concerning to me is a few discoveries that were made
while
> looking into the problem of widespread use of 1024 bit keys:
Out of curiosity, was there any indication that Bernstein's
improvements might apply to the discrete log problem, DSA in general,
and the 1024-bit limit on key size built into NIST's DSS standard?
Revoking an RSA key and re-issuing a longer one might be a pain, but
there's no option for that in the current GPG implementation.
Cheers.
-travis
