Recommended key size for life long key
dougb at dougbarton.us
Mon Sep 9 00:25:29 CEST 2013
On 09/08/2013 02:00 PM, Leo Gaspard wrote:
> And this means that, as long as the drawbacks associated with the use of the key
> are assumed by the key owner only (as the tables state, encrypt and verify
> operations being almost unchanged in time), preconizing 10kbit RSA keys is no
> issue, and can only improve overall security, to the key owner's usability's
> detriment at most.
The problem here is the "knowledge sieve" issue. Ole asked some
questions and did some research, then filtered what he got back through
a mixture of his preconceived notions, desires, etc. I'm not saying that
he picked only the data that agreed with his desired conclusion, but he
seems to have studiously ignored all of the facts that point to why what
he's trying to do is a bad idea.
Now the next reader is going to come along, very likely someone who is
more naive about encryption than Ole is, and filter that blog post
through his own preconceptions, impatience, etc.; and come to the
conclusion, "If I make a 10k key it'll be safe for life!" Has Ole done
this reader a disservice?
I think the biggest disservice is a false sense of security. If your
attacker can only pole vault 10 meters, and you already have a fence
1,000 meters high, does a 100,000 meter fence make you any more secure?
And what happens if your attacker develops a technique that is
universally effective against all fences, no matter the height?
The flip side question is, "What harm is there to using a 10k key?"
Aside from CPU and storage for the user of the key, everyone else in the
community bears part of the "cost" when they have to verify a signature
on an e-mail, for example. Is that a serious enough problem to cause us
to wish no one would suggest the use of 10k keys? I don't know.
... and all of this is presupposing that his "only a guess" has any
validity to it at all. I don't know the work by Arjen K. Lenstra and
Eric R. Verheul that he based his graph on, and I have no idea if Ole's
method of projecting key sizes out into the future is valid. What I DO
know (and Robert emphasized this point in his first post), is that those
authors, and other serious heavyweights in the crypto community have not
felt comfortable doing what Ole has done. That fact alone should be
enough reason for anyone not to take Ole's blog post seriously.
More information about the Gnupg-users