Re: Elliptic Curve Cryptography algorithm for key exchange

From: Sam Wilson (sam.wilson_at_bentley.com)
Date: 10/30/03 

Date: Thu, 30 Oct 2003 13:20:12 -0500

Bruce Schneier in Applied Cryptogrphy, Second Edition reports the same
thing:

symmetric key length public key length with similar resistance to
brute-force attacks
------------------------ ------------------------------------------------
--------------------
[snip]
80 768
112 1792
128 2304

(Table 7.9)

Schneier then goes on to say:

"In general ... you should choose a public-key length that is more secure
than your symmetric-key length. Public keys generally stay around longer,
and are used to protect more information." (Section 7.3)

*On the other hand* Schneier points out that the issue is really "How long
does [the protected data] need to be secure?" If, as he says, a 1024-bit key
is long enough to keep data secure for up to "even a few years" (p. 162),
isn't that plenty good enough for an SSL session that will last only a few
minutes? And even for signatures or e-mail messages that will last only a
few years at most? I guess that's the rationale for using 1024-bit keys in
communications-related software. But, let the developer beware before
blindly adopting the same keylength for encrypting data long term!

BTW has the DSS standard changed on this point? The last I checked, DSS
recommended 1024-bit keys.

Sam Wilson
Bentley Systems, Inc.

"Michel Gallant" <neutron@nspxistar.ca> wrote in message
news:OuoAervnDHA.1632@TK2MSFTNGP10.phx.gbl...
> "Pent" <pent> wrote in message
news:e$%2308bvnDHA.2456@TK2MSFTNGP09.phx.gbl...
> > Anything that needs better performance than current asymmetric algorithm
> > while providing the same strength?
> >
> > http://www.certicom.com/resources/ecc/ecc.html
> >
> > "[...] To successfully protect your data, a high security algorithm like
AES
> > demands equivalent security for the accompanying digital signatures and
key
> > exchanges. Otherwise, AES can be compromised through the weaker security
of
> > your public key cryptography.
> > Normally, this would mean the large key sizes required to match AES
levels
> > of security would overwhelm the processors of most mobile devices
>
> This is a good point ... suitably matching the symmetric key size with a
proper
> asymmetric recipient key. There is a good table describing this:
> "Writing Secure Code" 2nd Edn. 2003 Table 8-2 "Key-Size
Equivalences"
>
> There is an interesting comment there:
> "Do not protect a 128-bit AES key by using a 512-bit RSA key"
> which seems like a gross understatement.
>
> Also, the table indicates that to protect, say, a 128 bit RC2 key requires
at
> LEAST a ~ 2000 bit RSA key. Interesting since most SSL connections (or
> S/MIME usages) with 128 bit symmetric session key have only 1024 bit key
> protection! .. or is that table misleading?? would be nice to have M.
Howard
> post it for discussin here :-)
>
> Anyway, another trend, particularly in .NET documentation that should be
> at least be flagged, is the samples which encourage the use of AES, but
with
> only password derived (instead of asymmetric key protected) keys. This
might
> leads to developer perception of better security (i.e. AES) but in reality
poor
> protection with easily crackable pswd-derived AES keys!!
>
> - Michel Gallant
> Visual Security MVP
>
>
>

Relevant Pages

  • Re: Elliptic Curve Cryptography algorithm for key exchange
    ... "Pent" wrote in message news:e$%2308bvnDHA.2456@TK2MSFTNGP09.phx.gbl... ... > demands equivalent security for the accompanying digital signatures and key ... this would mean the large key sizes required to match AES levels ... protection with easily crackable pswd-derived AES keys!! ...
    (microsoft.public.platformsdk.security)
  • RE: Encryption question
    ... > sender's private key at the message hash. ... >>Alice encrypts her email to Bob using his public key. ... > Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. ...
    (Security-Basics)
  • Re: passwords
    ... different security domain ... by a public key (that has been registered in lieu of a shared-secret ... both originate as well as validate an authentication ... ... public key can't be used to originate an authentication ... ...
    (alt.computer.security)
  • Re: What NSA?
    ... > 3DES was originally intended for protection of transfer ... > for certain banks, see e.g. ... http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd authentication? ...
    (sci.crypt)
  • Re: public key vs passwd authentication?
    ... > I have a client that's turned off public key authentication. ... > examination of the security aspect, it'd make my job a lot easier/ ... http://www.garlic.com/~lynn/aadsm15.htm#2 Is cryptography where security took the wrong branch? ...
    (comp.security.ssh)