RSA-640 has now been factored in 5 months with just 80 Opteron CPU's.
http://mathworld.wolfram.com/news/2005-11-08/rsa-640/

Mixmaster uses 1024bit RSA keys, and so does Tor. Isn't it time to move
to at least 2048bits? Hardly anybody uses 1024bits for anything these
days. Why are we?

[ Post a follow-up to this message ]

George Orwell wrote:

> RSA-640 has now been factored in 5 months with just 80 Opteron CPU's.
> http://mathworld.wolfram.com/news/2005-11-08/rsa-640/
>
> Mixmaster uses 1024bit RSA keys, and so does Tor. Isn't it time to move to
> at least 2048bits? Hardly anybody uses 1024bits for anything these days.
> Why are we?

I wouldn't get too panicked just yet. Each additional bit roughly doubles
the factoring time, so a 641 bit key would be 10 months, 642 = 20 months,
643 = 40 months... 1024 = something like 1.00E+120 months (a guesstimate,
check the math).

I suppose it's all about how long you want your data to be safe. There's
no such thing as a "forever" cypher unless you consider the OTP, but
they're impractical in most real life applications. So every common
encryption scheme is a compromise. For real time communications like Tor
where information generally looses value quickly, a "buffer" of a few
million years is more than sufficient for now I'd say. ;)

Not that it doesn't bear watching mind you. Computing power can double in
a year, and costs per calculation can drop dramatically. It's always good
to be aware of the state of things, but it's important not to shift into
"sky is falling" mode every time someone makes another step forward. It
just means things are evolving as expected. No surprises. It's assumed
that keys of a given size will become less secure over time, and any
anomaly in that time line would be a red flag. Even if the anomaly were
larger keys *not* being factored. Worst case scenario, such a thing might
indicate a flaw in the methods we use to factor, and make all previous
results invalid... place us in a state where we have no *clue* about the
security of our encryption algorithms. 

--
_?_      Outside of a dog, a book is a man's best friend.
(@ @)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok!              Registered Linux user #402208

[ Post a follow-up to this message ]

-----BEGIN PGP SIGNED MESSAGE-----

Jeffrey F. Bloss wrote:

> I wouldn't get too panicked just yet. Each additional bit roughly doubles
> the factoring time, so a 641 bit key would be 10 months, 642 = 20 months,
> 643 = 40 months... 1024 = something like 1.00E+120 months (a guesstimate,
> check the math).

This is not true. A 640 bit RSA key is not 3,4e38 times harder to crack
than a 512 bit RSA key :-)

RSA-512 was broken in 1999
http://www.rsasecurity.com/rsalabs/node.asp?id=2098

Sorry to have to correct you on this,
Thomas
- --
Gothika: "How can you trust someone who thinks you are crazy"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

 iQB5AwUBQ3J9lQEP2l8iXKAJAQEYowMdGZcs9eqV
pxmKQCwaP8PlkkNZJovly4gx
 TS4L28Qahh351+6oMSTYiWIgs7Nh+Nf0mnBJdShX
r0GC8feJZr1sbAnksMsTWpna
 +rb4cxR+fNF5RTnJ1rH7R+H7XwGmdYrlF2buEA==

=Ssw+
-----END PGP SIGNATURE-----

[ Post a follow-up to this message ]

This is a Type III anonymous message, sent to you by the Mixminion
server at winnie.winstonsmith.info.  If you do not want to receive
anonymous messages, please contact winnie-admin@winstonsmith.info

-----BEGIN TYPE III ANONYMOUS MESSAGE-----
Message-type: plaintext

In <43727dea$0$11069$e4fe514c@news.xs4all.nl> "Thomas J. Boschloo" <nospam@hccnet.nl> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>Jeffrey F. Bloss wrote:
> 
>
>This is not true. A 640 bit RSA key is not 3,4e38 times harder to crack
>than a 512 bit RSA key :-)
>
>RSA-512 was broken in 1999
>http://www.rsasecurity.com/rsalabs/node.asp?id=2098

thanks thomas, I couldn't find that url.

And it's all the more reason to migrate to a minimum of RSA-2048.

And while were in the neighbourhood, lets move the preferred hash algo to
at LEAST RIPEMD-160, preferably something like Whirlpool that is not based o
n
the same mathematical roots as md5 or SHA.


-----END TYPE III ANONYMOUS MESSAGE-----

[ Post a follow-up to this message ]

> thanks thomas, I couldn't find that url.
>
> And it's all the more reason to migrate to a minimum of RSA-2048.

Yes.  Why are we still using these lower bit lengths?

Tor also uses AES-128 instead of AES-256 for it's TLS.

[ Post a follow-up to this message ]