1024-bit encryption is 'compromised'
By James Middleton [26-03-2002]
Upgrade to 2048-bit, says crypto expert
According to a security debate sparked off by cryptography expert Lucky Green on Bugtraq yesterday, 1,024-bit RSA encryption should be "considered compromised".
The Financial Cryptography conference earlier this month, which largely focused on a paper published by cryptographer Dan Bernstein last October detailing integer factoring methodologies, revealed "significant practical security implications impacting the overwhelming majority of deployed systems utilising RSA as the public key algorithm".
Based on Bernstein's proposed architecture, a panel of experts estimated that a 1,024-bit RSA factoring device can be built using only commercially available technology for a price range of several hundred million to $1bn.
These costs would be significantly lowered with the use of a chip fab. As the panel pointed out: "It is a matter of public record that the National Security Agency [NSA] as well as the Chinese, Russian, French and many other intelligence agencies all operate their own fabs."
And as for the prohibitively high price tag, Green warned that we should keep in mind that the National Reconnaissance Office regularly launches Signal Intelligence satellites costing close to $2bn each.
"Would the NSA have built a device at less than half the cost of one of its satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so," he said.
The machine proposed by Bernstein would be able to break a 1,024-bit key in seconds to minutes. But the security implications of the practical 'breakability' of such a key run far deeper.
None of the commonly deployed systems, such as HTTPS, SSH, IPSec, S/MIME and PGP, use keys stronger than 1,024-bit, and you would be hard pushed to find vendors offering support for any more than this.
What this means, according to Green, is that "an opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the internet".
"The most sensible recommendation in response to these findings at this time is to upgrade your security infrastructure to utilise 2,048-bit user keys at the next convenient opportunity," he advised.
But a comment from well known cryptographer Bruce Schneier casts doubt on Bernstein's findings in practical application.
"It will be years before anyone knows exactly whether, and how, this work will affect the actual factoring of practical numbers," he said.
But Green, much to the clamour of "overreaction" from the Slashdot community, added: "In light of the above, I reluctantly revoked all my personal 1,024-bit PGP keys and the large web-of-trust that these keys have acquired over time. The keys should be considered compromised."
Whatever the practical security implications, one sharp-witted Slashdot reader pointed out: "Security is about risk management. If you have something to protect that's worth $1bn for someone to steal, and the only protection you have on it is 1,024-bit crypto, you deserve to have it stolen."