From owner-freebsd-security Mon Mar 25 19:37:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 8E58537B416 for ; Mon, 25 Mar 2002 19:37:13 -0800 (PST) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.34 #2) id 16phlo-0007m3-01 for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000 Received: from dhcp1025.wadham.ox.ac.uk ([163.1.161.25] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 16phlo-0001Vp-00 for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000 X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca Message-Id: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 26 Mar 2002 03:37:10 +0000 To: freebsd-security@freebsd.org From: Colin Percival Subject: It's time for those 2048-, 3072-, and 4096-bit keys? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In light of DJB's widely-cited paper (http://cr.yp.to/papers.html#nfscircuit) on integer factorization circuits, along with subsequent analysis which suggests that such attacks might be practical, is it time to change the default key sizes in OpenSSH? While the practicality of the cracking machine proposed is still a matter of debate, it seems that the risk is sufficient, and the cost of increasing key sizes is sufficiently small, that there is little justfication for not switching to a larger default key size. While a couple years ago it might have been argued that the initial cost of generating longer keys would be excessive, I can now generate a 4096-bit in about 30 seconds on a rather low-end box, so I don't think key generation time is particularly relevant any more. Is there any other reason for not changing the default key size? Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message