[Ach] Fwd: Proposing RSA keylengths

Manuel Koschuch koschuch at gmx.net
Tue Nov 5 17:22:57 CET 2013


---------- Forwarded message ----------
From: *Manuel Koschuch*
Date: Tuesday, November 5, 2013
Subject: [Ach] Proposing RSA keylengths
To: ach at lists.cert.at




On Tuesday, November 5, 2013, Pepi Zawodsky wrote:

> On Keylengths I'd go with this recommendation:
>
> On RSA:
> < 2048 bits deprecated and should be replaced asap.
> 248 bits as the bare minimum with a recommendation to move to 4096 bit
> keys.
> 4096 bits as real world recommendation.
>
> [...]
>
>
>
> Regarding ECC I guess we have multiple problems. Not only the keylength to
> recommend, (strong) IF we do recommend using ECC at all, but also the
> curves to use. My understanding from yesterday's meeting (2013-11-04) was
> to not recommend ECC use at all. Maybe give a recommendation on how to use
> it if one decides to insist on ECC (for the moment).
>
> Do you second or disagree with my opinion on RSA keylength recommendations?
> Pepi
>


I do agree with the RSA recommendations.

Regarding ECC, I also have some doubts. Currently it seems impossible to
use DSA with >1.024 Bit Keys due to the SHA-1 constraint, leaving ECDSA as
a viable alternative. The reservations against ECC seem to stem mostly (as
least as far as I can tell) from the unclear generation process  of the
standardized curves.

RFC4492 also defines the possibility of using explicitly defined curves
over prime or extensions fields. Does anybody know if this capability is
supported in any real world product? I _think_ I saw code to handle generic
curves in OpenSSL once, but ECC in OpenSSL is a minefield on its own
(mostly due to patent issues..)

Regards
Manuel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131105/270fe3cd/attachment.html>


More information about the Ach mailing list