HOW to upgrade: 2.0.22 --> 2.3.3 ???
Robert J. Hansen
rjh at sixdemonbag.org
Fri Oct 4 16:35:02 CEST 2024
> A nation state with the ability to crack 1024 bit RSA would not spend
> years and billions of dollars on the messages/files of a single
> entity.
They absolutely would, in a heartbeat, and they'd consider it a bargain.
Imagine some major world power has a copy of an old message from
Vladimir Putin, signed in '99 using 1024-bit RSA. Is it worth a billion
dollars to break the key, allowing them to forge authentic-looking
messages that could be useful in disinformation campaigns?
Israel is believed to be a nuclear power but hard information on it is
rare. If you were Iran and were in possession of a 20-year-old copy of
their nuclear weapon locations, would you spend a billion dollars to
break that, even if 50% of the site locations have changed? Probably.
> They would be able to get the information they wanted for much
> less.
When it comes to breaking archival intercepts there may not be an
alternative. The U.S. in particular is well-known for archiving old
encrypted data in the hopes of breaking it later. VENONA, for instance.
In the digital forensics community there are stories of the USG
holding onto the shattered fragments of a CD-ROM that are being held for
the day when 3D scanning and modeling matures to the point they can
reassemble the CD-ROM from its fragments. Of the DF nerds I worked
with, all of us believed the story. We argued instead about whether we
had that capability yet, or how far away we were.
> So for current OpenPGP usage, 1024 bit RSA is for all practical
> purposes secure.
No. Just a flat no. If breaking RSA-1024 is feasible today, even if
it's not practical, it will be practical *soon*.
In the United States, Top Secret-rated national security information is
by default considered a grave threat to national security for 25 years.
The CIA even has some they've declared major threats for 50 years.
I have zero confidence RSA-1024 will be safe for even *five* years.
Stop using RSA-1024 today. The best time to stop using it was 25 years
ago, but if you missed that opportunity, today's the next best bet.
More information about the Gnupg-users
mailing list