1024bit Keys, At Risk?
Good day. I'd like to excerpt some text from last week's Security Alert Consensus newsletter, written by our friends at Neohapsis. It's a voice of reason amid the turmoil surrounding a research paper posted last week that describes how a large agency (such as the government) could feasibly build a machine capable of cracking 1024-bit length encryption keys. it's a short but good read.
An interesting and controversial research paper released a few weeks
ago discusses a new way to potentially factor 1024-bit RSA and DH
keys. At first, much of the security community was skeptical. But
lately, many notable researchers have agreed that the theory is
sound. While the reality of implementing the hardware discussed
in the paper in a typical commercial environment is limited (costs
can range upward of $1 billion), the potential for large government
organizations (local and foreign) isn't. The security implications
are that key sizes of 1024 bits and less can be considered weak and
inappropriate for extremely sensitive data; the down side is that many
SSL certificates and commercial applications use 1024-bit keys. In
general, our recommendation is to have all future-generated keys
be larger than 1024 bits and to look at updating current keys when
time and resources permit. A PostScript copy of the original paper
is available here
And today, the Neohapsis team published a follow-on to this initial report.
We also wanted to make a slight correction to a news blurb reported last week, regarding a new theory paper on cracking 1024-bit RSA keys. Just to be clear: The implications of the paper are still being debated and, even so, most of it is still theory, so there's no need to run out and upgrade your keys in the next week. In general, however, some people consider 1024-bit keys weak for certain sensitive data and think their lifespan might be coming to a close over the next few years. Thus, your organization may want to consider planning ahead and designing a migration path away from 1024 just in case.
NWC Radio at your service
This morning, we managed to edit and post two streaming audio shows.
- Inside Network Computing: An interview with next Monday's cover story author, Jonathan Feldman, on how to create and maintain a healthy service provider relationship...not just for ISPs, mind you.
- CEO Minute: This is an audio interview I did with Kib Pearson, CEO of Satel, the company that managed security for the 2002 Winter Olympics. Very interesting stuff.
Posted by Brad Shimmin at 10:31:24 AM
|
|
