[Cryptography-dev] RSA key generation -- minimum key size?

[Jean-Paul Calderone]

On 02/11/2014 10:39 AM, Alex Gaynor wrote:
> Hey all,
>
> The last major issue blocking landing RSA key generation is a
> discussion over whether or not to enforce a minimum key size for newly
> generated keys.
>
> I am advocating for requiring that key_size be >= 1024. Here is why:
>
> * Smaller keys are factorable (768 is known to be factored publicly,
> it's extremely likely even larger is factorable by nation states);
> there is basically no reason to use these keys.
> * PyCrypto enforces a 1024 minimum, which means there is no difficulty
> in porting applications; as there would be if we used a larger minimum
> * Loosening the check in the future is much easier, from a backwards
> compatibility perspective, then tightening it.
>
> Thus, 1024 seems like a reasonable balance of these concerns.
>
> How do other people feel?

The pyOpenSSL test suite generates much smaller RSA keys (128, 384, 512,
576) because it's faster and the keys are never used for anything
security related (they're just to verify key generation works).

Of course pyOpenSSL doesn't use cryptography's RSA key generation APIs
so this isn't a reason for cryptography not to enforce this limit.  I
wonder if anyone using cryptography will have any similar concerns about
the performance of their test suite, though (on my laptop it takes 2ms
to generate a 128 bit key and 35ms to generate a 1024 bit key).

Regardless, this doesn't seem like a particularly awesome reason to
allow small keys to be generated.  I just thought it was worth
mentioning so it could be explicitly disregarded. :)

Jean-Paul


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140211/eafb7195/attachment.sig>