Re: Java applet security, exportability, Jon Postel haiku

Anonymous (nobody@replay.com)
Thu, 29 Oct 1998 00:55:22 +0100

• Next message: Stephen Dennis: "(no subject)"
• Previous message: Jim Gillogly: "Re: Shuffling"

> Look, I'm all for using fairly large keys, but the sort of
> simpleminded alarmism you're engaging in gets in the way of
> understanding how strong our cryptosystems actually are. Please do the
> math before you go ranting about how weak or strong things are.

I have a knack for very, very bad wording, don't I?

I did do the math, and agreed 80-bit keys are not *currently* weak no
matter how you slice the cracking job. I intended "it's time for those
128-, 192-, and 256-bit keys" solely as a reference to the message Deep
Crack cracked (see below); I wasn't trying to push any buttons by saying
that it was currently any threat to 80-bit keys, but rather was trying to
convey my opinion that, for any key size, the threat of an adversary
building a machine is smaller than that of an independent organization
making one.

By the way, regarding why the independent organization would be a bigger
threat, I was thinking more about how multiple simultaneous cracks could
be more efficient on one machine than about the cost-splitting part of it;
I don't know about the DLP, but at least for those symmetric ciphers with
lots of key setup (Blowfish, RC4, etc.), one big crack could be
substantially cheaper than lots of little ones. (If you're feeling an urge
to present another mathematical example, see above.)

And as to why I'm so vehemently opposed to the use of 80-bit keys when I
don't think they're crackable, it's mostly because I want to avoid a
situation in the future analogous to that we now have with DES (i.e., old
systems using crypto that we can crack now and NSA presumably could crack
for a while) by discouraging the use of shorter keys -- even if it involves
sarcasm regarding my kid sister.

Any why the mention of 192- and 256-bit keys, ye might ask? It was in my
message because it was in RSADSI's message that Deep Crack cracked, and
was in RSADSI's message because of the AES requirements, and may have been
in in the AES requirements because the already-mentioned possibility of
quantum computers.

>
> -Ekr
>
> [Eric Rescorla ekr@rtfm.com]

• Next message: Stephen Dennis: "(no subject)"
• Previous message: Jim Gillogly: "Re: Shuffling"