[Cryptography-dev] RSA key generation -- minimum key size?

alexs alexs at prol.etari.at
Tue Feb 11 17:20:16 CET 2014


 

I am fine with there being a lower bound, I just don't think 1024 is
the right number. 

 * 1024-bit is deprecated by every major standards
body with an opinion on these things. 

 * 1024-bit doesn't seem to
actually provide the benefit you'd want from a lower bound of making it
harder for users to end up with factorable keys. As Alex Gaynor points
out, nation states can probably break 1024-bit keys anyway. 

 * Smaller
keys, in particular 768-bit (and even 512-bit until recently) signing
keys are still in common usage in DKIM as they can be rotated frequently
and the harm of an attack is much lower than in e.g. TLS. 

 * Users
coming from PyCrypto shouldn't be using 1024-bit keys. Is there an
application we know about that having to use a higher minimum would
actually cause problems? 

* This doesn't actually improve security much
since we will still load much smaller keys from disk and also
(presumably?) accept them when verifying signatures. 

* If this is
about security, do we have to update this limit as research progresses?
What happens to users relying on downstream packages in e.g. Debian? 

*
This is hazmat, there are dinosaurs with laser guns in the documentation
to warn you about this stuff. 

I think the limit should either be
512-bit because it's the smallest key size with any significant usage in
the recent past so I doubt anyone would even notice it. Or it should be
2048-bit because that's what everyone actually recommends. 1024-bit
seems to be the worst of both worlds. 

My preference is for 512-bit
because I think this is the wrong place to be trying to improve
security. The right place might be in something like a JSON Web
Signatures or other higher level module where its more feasible to
enable users to reject insecure keys at verification time. 

On
11.02.2014 15:39, Alex Gaynor wrote: 

> Hey all, 
> 
> The last major
issue blocking landing RSA key generation is a discussion over whether
or not to enforce a minimum key size for newly generated keys. 
> 
> I
am advocating for requiring that key_size be >= 1024. Here is why: 
> 
>
* Smaller keys are factorable (768 is known to be factored publicly,
it's extremely likely even larger is factorable by nation states); there
is basically no reason to use these keys. 
> * PyCrypto enforces a 1024
minimum, which means there is no difficulty in porting applications; as
there would be if we used a larger minimum 
> * Loosening the check in
the future is much easier, from a backwards compatibility perspective,
then tightening it. 
> 
> Thus, 1024 seems like a reasonable balance of
these concerns. 
> 
> How do other people feel? 
> Alex 
> 
> -- 
> 
>
"I disapprove of what you say, but I will defend to the death your right
to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The
people's good is the highest law." -- Cicero
> 
> GPG Key fingerprint:
125F 5C67 DFE9 4084

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140211/8198e5ec/attachment.html>


More information about the Cryptography-dev mailing list