SSH Agent keys >4096 bit?
hka at qbs.com.pl
Fri May 4 00:27:10 CEST 2012
On Thursday 03 of May 2012 15:09:42 Robert J. Hansen wrote:
> On 05/03/2012 01:14 PM, Ali Lown wrote:
> > Does anyone know why the limit is set at 4096 bits
> The consensus of the cryptographic community is that beyond 3K keys you
> really need to be switching to elliptical-curve cryptography. A 3K RSA
> or Elgamal key is roughly as difficult to break by brute-force as
> AES128, and that one's so hard that nobody with two brain cells to rub
> together is going to try it.
It all depends on who you're talking to. French suggest 4k for AES128.
But if you've got data that needs to be protected for 30-40 years, using
AES256 is basically a no-brainer. Using just 4k RSA with that is not a smart
decision, and that's agreed by basically anybody (NIST, ECRYPT II). Especially
when the cost of establishing the link with 8k RSA is insignificant for any
session over 5min in length (as is common in SSH).
Besides that, Schneier and Ferguson say that basically any RSA based crypto
system should support 8k keys. Switching to ECC is not easy, you need to
change your whole infrastructure, protocols, management systems, etc. to allow
this. Generating extemely large keys is very easy in comparision.
Using large keys would be stupid only if you need low latency/high IOPS system
that can't use long lasting secure channels: web servers. But that's not our
: Practical Cryptography, Chapter: RSA Defined, section "The size of n",
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
More information about the Gnupg-users