August 16, 2007
FUDWatch: NSA's shift to ECC, IESG lowers boom on cryptostrength, John Young on Fud versus Fud
The NSA is shifting to ECC. Old news, but here is some FUD:
Although RSA and Diffie-Hellman are both public-key algorithms, experts say they don’t scale well for the future. To make RSA and Diffie-Hellman keys, which now can go to 1,024 bits, secure for the next 10 to 20 years, organizations would have to expand to key lengths of at least 2,048 bits, said Stephen Kent, chief scientist at BBN Technologies. Eventually, key sizes would need to expand to 4,096 bits. “That’s enormous keys. To do the math operations underlying the keys takes longer and is more computationally intensive,” Kent said.
Shock, horror, what are the men in shadows saying? It's total nonsense. If you can recall that 1024 was more or less a mid 1990s standard, and we're a decade++ on in Moore's Law terms, you also can see through this bureaucratic stupidity.
What's going on? It's not clear. Maybe the NSA is indeed concentrating on very low power devices such as mobile phones, which do not have the grunt to do long keys (because they use their Moore's Law bounty to buy battery power).
But for everyone else, 4k keys are find. There's no problem. Well, maybe one. Here's what the IESG said about OpenPGP:
Add to the end of section 15:* OpenPGP does not put limits on the size of RSA public keys. However, large keys are not necessarily good. Larger keys take more computation time to use, and this can quickly be unusable. Most OpenPGP implementations set an upper bound of 4096 bits in RSA public keys. Some have allowed 8K or 16K, which are large enough to have problems in many environments. If an implementation creates keys larger than 4096 bits, it will sacrifice interoperability with most other implementations.
Now, let's not name names, but these two statements are so at odds that one wonders what they are smoking at the IESG. What, you might ask, is really going on!?!?
Let's ask John Young. Here is a great article on him and the Cryptome. If you want to avoid getting on his shitlist, read this article today!
To Young, complaints about agents' safety is pure tradecraft. You can't argue with spies, because everything they say is a lie. Former covert operatives have told him as much, he says. "They say, 'Don't believe that, it's just standard fare. It's a ploy.' If you believe any of this, you don't understand how spies operate. They lie so much and run so many false operations and plant so many false agents. They expose their own agents so much—there's nothing you can do that they haven't already done. In fact, they hope you will do it. To muddy the waters."
You didn't believe a word, right?
"There's a massive organization of hundreds of thousands of people around the world totally counting on secrecy," he says of the intelligence agencies he covers. "They are the most unreliable people in the world. And it's corrupted our culture. There's nothing that should be secret. Period."
Amen to that. I'll bet John Young uses 4k keys.
Posted by iang at August 16, 2007 01:34 AM | TrackBackI think it is reasonable for an individual to try to keep a secret (from the government) for his/her entire lifetime (100 years). However, there are very few government secrets that need to be kept quiet that long. So, what the NSA is suggesting for typical government use isn't necessarily good enough for the individual.
To even have a shot at protecting a secret for 100 years using RSA, I would need to use keys betweek 7K to 16K long. Even on a recent machine, generating a 16K key is time consuming--especially if we want to use a good random number generator with a good entropy collector.
Transparently publishing public keys via email, SMS, and instant message is also burdensome when those keys are significantly larger than the message that they are attached to. I believe that transparent publishing of public keys is the best way to change these types of communication from "public by default" to "private by default."
More and more communication is taking place on mobile cellular devices. There, performance is limited. More importantly, power usage side effects of performing big computations and the transmission of large keys are very important factors.
For these reasons, ECC's smaller equivalent key sizes seem to be a significant benefit to me. Unfortunately, I've yet to see any reference that will help me choose good parameters for ECC, and that creates a big FUD roadblock in my mind. More FUD comes from the fact that people keep saying that ECC isn't as strong as is currently believed (a claim also being made now about AES). I am not qualified to even know how to respond to these claims.
RSA looks like the safe and easy choice as long as its performance isn't a problem. When it does become a problem, it seems like ECC is the only viable alternative right now.
(By the way, I read your articles via your RSS or Atom feed. I noticed that your feed is plain text, which means that the hyperlinks don't work in the feed. It would be helpful if you could change the feeds to be HTML or XHTML. And, thanks for the great articles.)
Posted by: Brian at August 16, 2007 01:06 AM