Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Apr 2002 01:27:07 +1000
From:      Joshua Goodall <joshua@roughtrade.net>
To:        Garrett Wollman <wollman@lcs.mit.edu>
Cc:        Archie Cobbs <archie@dellroad.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, des@freebsd.org
Subject:   Re: cvs commit: src/crypto/openssh servconf.c
Message-ID:  <20020412152707.GD8927@roughtrade.net>
In-Reply-To: <200204120313.g3C3DnP83776@khavrinen.lcs.mit.edu>
References:  <200204112204.g3BM4eK56395@freefall.freebsd.org> <200204120044.g3C0i7W08442@arch20m.dellroad.org> <200204120313.g3C3DnP83776@khavrinen.lcs.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 11, 2002 at 11:13:49PM -0400, Garrett Wollman wrote:
> I'm not DES, but I can at least make a crack at it.
> 
> RSA and DSA are believed to be of comparable cryptographic strength,
> given the key sizes commonly used today.

At the recent Financial Cryptography '02 panel debates, it was put
forward that 1024-bit RSA cracking was now well within the cost
bounds of many governments and corporations. On the edge of paranoia,
some people are now revoking 1024-bit RSA keys and replacing them
with 2048-bit keys.

DSA's strength, like Diffie-Hellman's, is based on the problem of
finding discrete logs in finite fields. I'm no cryptographer, but
last I looked, the difficulty bounded RSA's; that is, if you have
a general algorithm to find those logs swiftly (i.e. broke DSA) then
you can also factor large primes (i.e. you broke RSA).

See also : http://www.scramdisk.clara.net/pgpfaq.html#SubRSADH

which appears to suggest that the discrete-logs-based publickey
systems are evaluating as "stronger", although falls shy of actually
recommending DSA over RSA.

> IIRC, when the SSHv2 protocol is officially blessed by the IETF,
> RSA will be required and DSA will be an option.

Other way around, I think - the current SecSH draft lists ssh-dss
(that is, DSA) as the only REQUIRED public key type, with RSA as
RECOMMENDED.

It's at:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-14.txt

I personally was happy with the 1024-bit DSA key choice that was
in place prior to the 3.1 import, and am less comfortable with the
1024-bit RSA that some bleeding-edge cypherpunks are already revoking.

Joshua


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020412152707.GD8927>